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About This Guide 


This documentation describes how to install, deploy, and administer the NSS AD service included 
with OES 2015 SP1. 


* 


* 


* 


* 


* 


* 


* 


* 


Chapter 1, "Overview of NSS AD Support," on page 7 

Chapter 2, "Preparing to Deploy NSS AD,” on page 13 

Chapter 3, "Installing and Configuring NSS AD Support," on page 19 

Chapter 4, "Assigning NSS Trustee Rights for AD Users and Groups," on page 43 
Chapter 5, “Managing NSS AD,” on page 45 

Chapter 6, “NSS AD Utilities and Tools," on page 49 

Chapter 7, "Troubleshooting," on page 89 

Appendix A, “Reference Information," on page 93 


Feedback 


We want to hear your comments and suggestions about this manual and the other documentation 
included with this product. Please use the User Comment feature at the bottom of each page of the 
online documentation. 


Additional Documentation 


For information about other OES products, see the OES 2015 SP1 Documentation Web Site. 
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About This Guide 


Overview of NSS AD Support 


Beginning with OES 2015 or later, you can provide Active Directory users with the ability to 
seamlessly access NSS resources and administer them. AD users and groups do not need to move 
to eDirectory; NSS resources can be accessed by both AD and eDirectory users at the same time. 


Integration of NSS and Active Directory 


1. eDirectory user and group access to OES file services on NSS volumes 
is unchanged. 


rog mm — 


eDirectory 
Users and Groups 


2. Active Directory users and groups can now be granted | 
native Windows (CIFS) and FTP access to NSS volumes. 


Active Directory 
Users and Groups 


NSS Volumes on 
OES 2015 SP1 Servers 


1.1 Understanding What Changed to Enable NSS AD 
Support in OES 


+ Section 1.1.1, “Novell CIFS Access Changes,” on page 8 

+ Section 1.1.2, “OES Service Changes For NSS AD,” on page 9 

+ Section 1.1.3, “Multi-Forest Support for AD Users,” on page 9 

+ Section 1.1.4, “Utility and Management Tool Changes,” on page 10 
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1.1.1 


Novell CIFS Access Changes 


Figure 1-1 Novell CIFS Access Changes in OES 2015 SP1 


WORKSTATIONS AUTHENTICATION FILE SERVICE 


Active Directory 
User 


eDirectory 
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Windows 
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Active 
Directory 
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eDirectory 


Table 1-1 Summary of Novell CIFS Access Changes 


AUTHORIZATION 


Novell CIFS 


>| Novell FTP 


*uuuuuuunuuuuuuuat* 


CIFS Access OES 11 SP2 and Earlier OES 2015 and Later 
Component 
Users eDirectory users access NSS using their eDirectory and Active Directory users can 
eDirectory credentials. access NSS using their eDirectory and 
Active Directory credentials, respectively. 
Workstations Windows, Linux and Macintosh are No changes in platform support. 
supported. 
Authentication Only eDirectory is supported as an Both eDirectory and Active Directory are 
identity source. supported as identity sources. 
All file service access is controlled by For eDirectory users, NMAS authentication 
eDirectory authentication through NMAS. is still used. 
For Active Directory users, Novell CIFS 
interacts with Active Directory and the 
Kerberos service is used to authenticate the 
Active Directory users. 
File Service Novell CIFS is among the many file Novell CIFS offers support for Active 
services offered, which also include Directory users. 
Novell AFP, NetStorage, NCP, Novell FTP, 
and iFolder. Beginning with OES 2015 SP1, Novell FTP 
offers support for Active directory users. 
No other file services are enabled for AD 
user access at this point. 
Authorization Authorization to access NSS is handled X Authorization to access NSS through Novell 


by Novell CIFS working in cooperation 
with NSS. 
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CIFS is handled by NSS alone. This 
increases both the efficiency and the 
reliability of the authorization process. 


1.1.2 


1.1.3 


OES Service Changes For NSS AD 


Table 1-2 OES 2015 or Later Changes 


Service OES 2015 or Later Changes and Information 
Novell CIFS You can grant AD users native CIFS access to NSS volumes with Novell trustee 
model. 


* Beginning with OES 2015 SP1, Active Directory and eDirectory users can 
perform salvage and purge operation through NFARM (OES File Access Rights 
Management) utility. 


* AD users can access NSS resources in a multi-forest environment. 


Novell Cluster Services Cluster resources can now join to AD domains. 


(NCS) 

Distributed File DFS is supported in NSS AD environment. 

Services (DFS) 

Dynamic Storage DST is supported in NSS AD environment. 

Technology (DST) 

FTP Server Beginning with OES 2015 SP1, FTP server is supported in NSS AD environment. 
Novell Identity NIT lets you ensure that eDirectory and AD users requiring NSS authorization have 
Translator (NIT) the required UIDs. 


Beginning with OES 2015 SP1, it supports AD users in multi-forest environment. 


NSS (Novell Storage AD users can now access NSS through CIFS. 
Services) 


Storage Management SMS now supports backing up AD trustee information in NSS AD environment. 
Services (SMS) 


NSS Auditing Client Audit all file operations for AD users. 


Logger (VLOG 
gger ( ) Beginning with OES 2015 SP1, VLOG have been enhanced to filter based on user 


names and application names. 


Multi-Forest Support for AD Users 


Beginning with OES 2015 SP1, multi-forest support allows access to NSS resources from Active 
Directory users belonging to AD forests having bi-directional trust with OES joined forest or AD 
domains having bi-directional external trust with OES joined forest. 


The following OES components supports multi-forest for AD users: NSS, CIFS, DFS, DST, Migration 
Tool, NIT, SMS, and VLOG. 
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1.1.4 Utility and Management Tool Changes 


Table 1-3 OES 2015 or Later Utility Changes 


Utility 


Changes and Information 


iManager Storage Plug- The following capabilities have been added to the iManager Storage plug-in: 


Ins 


NFARM 


nitconfig 


novcifs 


novell-ad-util 


nsschown 


nsscon 


nssmu 


nssquota 


* Pool Type: Creating NSS 64-bit pools and volumes and displaying pool type 
information. 


* AD media: Support for creating, upgrading, and enabling pools and volumes to 
support AD users. 


For more information, see Managing NSS Pools in the OES 2015 SP1: NSS File 
System Administration Guide for Linux. 


NFARM shell extension lets AD administrators to manage NSS ACLs for AD users/ 
groups. 


Beginning with OES 2015 SP1, Active Directory and eDirectory users can perform 
salvage and purge operation. 


For more information, see Section 6.5.8, "Salvage and Purge," on page 77. 


Lets administrators configure the NIT configuration parameters contained in the 
nitd.conf file. 


For more information, see "nitconfig utility" on page 53. 
Lists the AD connections. 


Lets the administrators join an OES 2015 (or later) server or a cluster resource to an 
Active Directory domain and manage the Kerberos keytabs. 


For more information, see Section 6.3.1, “novell-ad-util Command Line Utility,” on 
page 57. 


Options are added for changing file and directory ownership based on the owner's 
Security Identifier (SID) or AD Username. There is also an option to change the 
ownership of extended attributes at the same time. 


Commands are enhanced for AD media upgrade commands and AD enabling the 
volume. 


For more information, see NSS Media Upgrade Commands in the OES 2015 SP1: 
NSS File System Administration Guide for Linux. 


Utility is enhanced for media upgrading a pool to support AD users, AD enabling the 
volume, and joining the cluster pool to the AD domain. 


For more information, see NSS Management Utility (NSSMUJ) Quick Reference in the 
OES 2015 SP1: NSS File System Administration Guide for Linux. 


Options are added for setting quotas for AD users and groups. 


* -aor --activedirectory 
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Utility 


NURM 


rights 


Changes and Information 


NURM lets administrators create maps between eDirectory and Active Directory 
users and supports ACL migration from eDirectory to Active Directory. 


Beginning with OES 2015 SP1, NURM provides the following enhancements and 
changes: Contextless login, Refreshing user maps, Two way synchronization of 
rights, Secure LDAP port to connect to the AD server, Map rights using multiple user 
maps, and Pagination and filtering. 


For more information, see NURM (OES User Rights Management). 
Options are added for managing rights for AD users and groups. 


* -aor--activedirectory 
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2.1 


2.2 


Preparing to Deploy NSS AD 


Use the information in the following sections as you plan your NSS AD deployment. 


+ Section 2.1, “Software and Hardware Requirements,” on page 13 
+ Section 2.2, “Meeting NSS AD Infrastructure Requirements,” on page 13 


+ Section 2.3, “Joining OES to AD Domain When OES and AD are Present in Different DNS 
Domain,” on page 14 


+ Section 2.4, “Planning to Assign AD User and Group Trustee Rights,” on page 15 
+ Section 2.5, “Coexistence with NSS AD,” on page 15 
+ Section 2.6, “Caveats for Deploying NSS AD,” on page 17 


Software and Hardware Requirements 


NSS AD has no additional requirements beyond those outlined in “Meeting All Server Software and 
Hardware Requirements’ in the OES 2015 SP1: Installation Guide. 


Meeting NSS AD Infrastructure Requirements 


You can select NSS AD pattern during OES installation or after the OES server is installed and 
running. 


Table 2-1 Preparing Your Infrastructure for OES 2015 or Later 


Selecting NSS AD pattern with OES Installing NSS AD post OES Server 


Server installation installation 
OES 2015 SP1 Ensure to select the NSS AD pattern Ensure the OES server that will run NSS AD is 
Server during OES server installation. fully patched (including SLES 11 SP4 patches) 
before you install NSS AD. 
Active Ensure that your Active Directory deployment meets the following constraints: 
Directory 


* The Domain Controller for the domain your OES server will join is a Windows 2008, 
Windows 2008 R2, Windows 2012, or Windows 2012 R2 server. 


* Your NSS AD deployment targets can be a Single AD forest or Multi-forest environment. 


* Single Forest Environment: Create a Universal Group with the 
sAMAccountName "OESAccessGrp" anywhere in the AD forest. Only the 
members of this group will have access to the NSS resources based on their 
trustee assignments. In absence of this group, all the AD users in the forest can 
access the NSS resources based on their trustee assignments. 


* Multi-Forest Environment: Create a Domain Local Group (DLG) with the 
sAMAccountName "DLOESAccessGrp" in the AD domain to which this OES 
server is joined. Only the members of this group (OES forest and across forest) will 
have access to the NSS resources based on their trustee assignments. In absence 
of this group, the AD users across the forest cannot access the NSS resources. 
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Selecting NSS AD pattern with OES Installing NSS AD post OES Server 


Server installation installation 
AD Rights Identify the username and password of an AD user who has rights to join the OES server to 
the domain. 


The following rights are required on the container where the OES server object will be 
located: 


* Reset password 
* Create computer objects 
* Delete computer objects 


+ Read and write the msDs-supportedEncryptionTypes attribute 


DNS 1. Ensure that the DNS service that the 1. Ensure that the OES server can resolve the 
OES server will use is configured DNS name of the AD domain controller for 
such that the server will be able to the domain that the server will join. 


resolve the DNS name of the AD 
domain controller for the domain to 
which the server will be joined. 


2. Ensure that the DNS service 
includes a reverse lookup entry for 
the AD domain controller. 


2. Ensure that the DNS service includes a 
reverse lookup entry for the AD domain 
controller. 


Novell CIFS Install and configure Novell CIFS at the Ensure that the Novell CIFS service that AD 
same time as you install OES and NSS users will access is configured and operational 


AD Support. on the OES server. 
Time Ensure that the date and time settings that Ensure that the date and time for the OES server 
Synchronizati you specify for the OES server match match the AD domain controller's date and time. 
on those of the AD domain controller. 


23 Joining OES to AD Domain When OES and AD are 
Present in Different DNS Domain 


Consider the scenario where OES server is present in one DNS domain and AD server is present in 
another DNS domain. Before joining OES to AD domain, do the following: 


* Ensure to meet the NSS AD requirements. For more information, see Prerequisites for Installing 
and Configuring NSS AD in the OES 2015 SP1: Installation Guide. 
* The OES server should be able to resolve the DNS queries for the AD domain. 
The example provides how to successfully join OES server to AD domain when OES and AD servers 
are in two different domains: 
1. OES server is in oesdomain.com with the DNS server IP address 192.168.1.2 
2. AD server is joined to addomain.com with the DNS server IP address 192.168.20.22 


3. The DNS server with the IP address 192.168.1.2 should resolve the DNS queries on 
addomain.com. There are different ways to resolve the DNS queries, we have considered using 
DNS forwarder in this example: 


a. Configure the forwarder on 192.168.1.2 that points to 192.168.20.22 


b. Ensure all the PTR records exists for all Domain Controller (DC) and Global Catalog (GC) in 
192.168.20.22 
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2.5.1 


c. From the OES server console, verify if the AD DC server and AD domain is resolvable. 


nslookup adserver1.addomain.com 
nslookup addomain.com 


The command should execute successfully and display details of the AD server and 
domain. 


NOTE: For FTP AD remote navigation, ensure that the search attribute present in /etc/ 
resolv.conf is configured with all the AD domain entries of the OES servers. 


Planning to Assign AD User and Group Trustee 
Rights 
Do the following: 


1 Identify the Active Directory users and groups that need access to NSS resources. 
2 You can assign the NSS trustee rights to your AD users and groups in two ways: 


* Using NFARM (Windows explorer shell extension) or rights utility on the OES server. For 


more information about NFARM, see Section 6.5, “NFARM (OES File Access Rights 


Management),” on page 71 and rights in OES 2015 SP1: NSS File System Administration 


Guide for Linux. 


* Using the NURM utility. This method assumes that at least some of your network users and 


groups have identities in both eDirectory and Active Directory that can be mapped to each 


other. For more information about NURM, see Section 6.4, “NURM (OES User Rights 
Management)," on page 61. 


NOTE: If an AD user group membership is modified between the user login to AD domain and 


mapping to OES CIFS server, the AD user must logout and login again to the AD domain to 
perform the file operations on OES server. 


Coexistence with NSS AD 


The following sections cover NSS AD coexistence. 


+ Section 2.5.1, “Incompatiblities at a Server Level,” on page 15 

+ Section 2.5.2, “NSS AD Is Network-Compatible with All OES Services," on page 16 
+ Section 2.5.3, “NSS AD Doesn't Affect Backward Compatibility,” on page 16 

+ Section 2.5.4, “Ensuring DST Support for NSS AD,” on page 16 

¢ Section 2.5.5, “DFS Deployment with NSS AD,” on page 16 


Incompatiblities at a Server Level 


Do not install the following services on the same server as NSS AD: 


* Novell Samba 
+ DSfW 
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2.5.2 


2.5.3 


2.54 


2.5.5 


NSS AD Is Network-Compatible with All OES Services 


Introducing NSS AD into your OES service mix will not cause any conflicts with existing OES services 
on your network. 


NSS AD Doesn't Affect Backward Compatibility 


The following services and components, which were modified to support NSS AD, are compatible 
with pre-OES 2015 servers, with important exceptions noted. 

* Access Control Lists 

* Backup (SMS) 

* Novell CIFS 

* Novell Distributed File Services (DFS) 

* Novell Dynamic Storage Technology (DST) 
Novell Cluster Services (NCS) 


* 


IMPORTANT: Pre-OES 2015 nodes cannot mount NSS-AD enabled pools and volumes. For 
more information, see Section 2.6.1, “Clustered Node Issue,” on page 17. 


* NSS (Novell Storage Services) 
* Salvage 


Ensuring DST Support for NSS AD 


To provide NSS AD support in an environment that contains Dynamic Storage Technology (DST), you 
must do the following: 


* Ensure that the OES server or the cluster node where the primary and shadow volumes exist, 
has joined the Active Directory domain as part of the normal NSS AD deployment process. 


* Ensure that both the primary and the secondary (shadow) volumes are AD-enabled. 


The primary and secondary volumes can be of the same type (NSS32 or NSS64) or mixed 
(NSS32 and NSS64). 


For more information on DST, see OES 2015 SP1: Dynamic Storage Technology Administration 
Guide. 


DFS Deployment with NSS AD 


* "DFS Source and Target Is NSS AD Enabled" on page 16 


+ “DFS in Heterogeneous Environment" on page 17 


DFS Source and Target Is NSS AD Enabled 


The DFS source and target server are configured with OES 2015 or later with NSS AD support. For 
AD users to access a DFS junction using the CIFS client, the following is required: 


* The DFS source and the target server must have joined the AD domain. 
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2.6 


2.6.1 


* The pools and volumes present in DFS source and target server should be media-upgraded and 
AD-enabled respectively. 


* AD users must have trustee rights on the files and folders they need to access. 


DFS in Heterogeneous Environment 


During the NSS AD deployment process, there is, of course, a period of time during which some 
servers are running NSS AD and some are not. 


If the DFS source is NSS AD configured and the target is a pre-OES 2015 server, then for seamless 
access of data on the pre-OES 2015 server, ensure that both the Active Directory and eDirectory 
credentials have same usernames and passwords. 


When the AD user accesses the pre-OES 2015 server, the CIFS client authenticates with the AD 
credentials and fails. CIFS then falls back to use eDirectory credentials and the user is able to access 
the data. 


Caveats for Deploying NSS AD 


Be aware of the following caveats before installing and configuring NSS AD. 


+ Section 2.6.1, “Clustered Node Issue,” on page 17 
+ Section 2.6.2, “Recommendations During Upgrade,” on page 18 


Clustered Node Issue 


Pre-OES 2015 servers cannot mount NSS-AD media-upgraded pools. 


1 If possible, you should upgrade all cluster nodes to OES 2015 or later as part of your NSS-AD 
deployment. 


2 If you cannot upgrade your cluster nodes at the same time, ensure the following: 


A mixed node cluster environment can contain OES 11 SP2, OES 2015, and OES 2015 SP1 
nodes. The AD media upgraded NSS32 and NSS64 pools cannot be loaded in OES 11 SP2 
nodes. 


When a resource comes online, it tries to load on a node based on the preferred node 
assignment (OES 2015 or later nodes), and the older OES cluster nodes are skipped from the 
preferred node list. If OES 2015 or later nodes are not available in the cluster, the resources are 
moved to "unassigned" state. 


However, if the upgraded (OES 2015 or later) node comes up or any new OES (OES 2015 or 
later) node is added to the cluster, the resource will automatically loads on the OES 2015 or later 
node. 


IMPORTANT 


* All nodes in the cluster must be patched with the latest OES patches. Otherwise, the AD 
media resource goes to comatose state on nodes earlier than OES 2015. 


* All nodes in the cluster must belong to OES 11 SP2 or later. If any OES node in the cluster 
is older than OES 11 SP2, this feature does not work. 


For more information, see "Configuring Preferred Nodes and Node Failover Order for a 
Resource” in the OES 2015 SP1: Novell Cluster Services for Linux Administration Guide. 
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Recommendations During Upgrade 


When upgrading the OES server, if NSS AD pattern is selected, then any misconfiguration in joining 
the domain can result in upgrade failure. Hence, it is recommended not to install NSS AD Support as 
part of the upgrade process. Instead, you must do the following: 


1 Complete the upgrade/migration processes as documented in “Upgrading to OES 2015 SP1” in 
the OES 2015 SP1: Installation Guide 
2 Ensure that all of the NSS AD Infrastructure Requirements are met. 


3 Run the YaST OES Installation module (or the NSS AD Support module) on the OES server and 
complete the applicable instructions in Chapter 3, “Installing and Configuring NSS AD Support,” 
on page 19. 


For information on planning a migration to OES 2015 SP1, see the OES 2015 SP1: Migration Tool 
Administration Guide. 
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Installing and Configuring NSS AD 
Support 


IMPORTANT: The information in this section supplements but does not replace the official OES 
installation and upgrade instructions that are contained in the OES 2015 SP1: Installation Guide. 


This section covers the following topics: 


+ Section 3.1, “Installing a New OES Server and Deploying NSS AD,” on page 20 


+ Section 3.2, "Upgrading to OES 2015 SP1 and Deploying NSS AD (Non-Clustered 
Environment),” on page 28 


* Section 3.3, “Upgrading to OES 2015 SP1 and Deploying NSS AD (Clustered Environment),” on 
page 35 


+ Section 3.4, "Leave a AD Domain,” on page 41 
* Section 3.5, “Reconfiguring NSS AD,” on page 42 


* Section 3.6, “Renaming the Netbios Name of OES Host or Cluster Resource,” on page 42 
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3.1 poraning a New OES Server and Deploying NSS 


Figure 3-1 Installing OES as a New Server and Deploying NSS AD 
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Installing OES 2015 SP1 and Deploying NSS AD 


e Install OES 2015 SP1 as a new installation and 
include the NSS AD Support module in your =y 
pattern selections. 
Specify the NSS AD Support settings to: Integrated OES 2015 SP1 
+ Install NSS AD software OES 2015 SP1 : 


* Join the AD Domain. Media 
+ Setthe NIT UID range. 


Verify that the AD Domain and Kerberos are 
configured and working as expected. 


After the server is installed, fully patched, and 

running, media-upgrade the NSS32 Pools that 

you are targeting for AD access. 

(NSS64 pools are inherently upgraded.) NSS32 Pools 


o AD-enable targeted NSS Volumes. 


NSS Volumes 


o Provision NSS access for AD users who have 
matching eDir accounts by running NURM. 


NSS Volumes 


Provision the remaining AD users by using 
NFARM or the rights utility. 


E Access AD-enabled NSS Volumes 
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IMPORTANT: Before proceeding, ensure that you have met all the prerequisites specified in 
Section 2.2, “Meeting NSS AD Infrastructure Requirements,” on page 13. 


If you want to install NSS AD after your OES server is installed and running, follow the instructions in 
Section 3.2, “Upgrading to OES 2015 SP1 and Deploying NSS AD (Non-Clustered Environment),” on 
page 28, starting with Step 2. 
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Table 3-1 Installing OES and Deploying NSS AD 
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Process 


aD 1. 


Information and Links 


Using the instructions in the installation guide, install only one OES server at a time in your 
eDirectory tree. 


For detailed instructions, see "Installing OES 2015 SP1 as a New Installation" in the OES 2015 
SP1: Installation Guide. 


2. When you reach the Software Selections screen, select the Novell Storage Service AD 
Support pattern along with the other services that you are installing. 


(& vast yay  — mamm 
Preparation % Novell Storage Services AD Support Configuration 


> OES Configuration 


AD Domain Name 
ACME.COM 


AD Supervisor Group 
(Domain Admins 
AD User Name 
Administrator 


Password 


Container to create Computer Object 
CN=Computers 


C Use pre-created computer object 


Novell Identity Translator (NIT) Configuration 

X| Generate UIDs for AD users 
UID Range 

Start End 


T$ [200000 5j 


100000 


3. Specify the required details: 


* 


* 


AD Domain Name: Is the domain that the OES server is joining. 


AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to 
this group will have supervisory rights for all the volumes associated with that OES server. 


AD User Name: Specify an AD administrator or user with the following privileges required 
to join the domain: 


* Reset password 
* Create computer objects 
* Delete computer objects 
* Read and write the msDs-supportedEncryptionTypes attribute. 
Password: Is the password of the AD user who is used for the domain join operation. 


Container to Create Computer Object: The container where the OES 2015 SP1 
computer object will live. 


If you have already created a computer object in Active Directory for the OES server, 
select Use pre-created computer object and include the object name in the 
specification. 


Novell Identity Translator (NIT) Configuration: NIT manages UIDs as required for 
data access on a Linux server. For more information, see "Section 6.2, "NIT (Novell 
Identity Translator)," on page 50”. 


4. When you click Next, you should receive a message that The domain join is in 
progress. 
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Process 


Information and Links 


1. Ensure that the OES computer object is created in the AD domain you specified. 


2. Verify that the default keytab entries for the OES server are created by entering the following 
command at the server’s terminal prompt: 


klist -k 


For example: 


tsts 


rv:~/Desktop #klist -k 


Keytab name: FILE:/etc/krb5.keytab 


KVNO 


ND ND ND N D ND ND ND ND ND N 


2 
tsts 


Principal 

tstsrv$@ACME.COM 
tstsrv$@ACME.COM 
tstsrv$@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv@ACME.COM 
cifs/tstsrv@ACME.COM 
cifs/tstsrv@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
rv:-/Desktop # 


The 12 keytab entries represents the Service Principals of the OES server. 


3. You can also execute kinit -k «name of the OES server>$ to ensure that the OES 
server is joined to the AD domain successfully. 


For example, kinit -k tstsrv$ 


On successful execution of the above command, it does not display any output message and 
returns to terminal. 


1. Media-upgrade the NSS32 pools that your AD users need access to. 


The following is a simple, GUI-driven method. 


a. 


b 
C 
d. 
e 


At a terminal prompt, enter nssmu. 


. Select Pools 


. Select a pool. 


Type g, then type Y(es) » O(kay). 


. Select another pool and continue until all of the NSS32 pools that AD users need access 


to are media-upgraded 


For more information on the NSS Media upgrade options and processes, see "NSS Media Upgrade 
Commands’ in the OES 2015 SP1: NSS File System Administration Guide for Linux. 
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Process Information and Links 
© 1. AD-enable the NSS volumes that your AD users need access to. 


The following is a simple, GUI-driven method. 
a. At a terminal prompt, enter nssmu. 
b. Select Volumes 
c. Select a volume. 
d. Type G, then type Y(es) > O(kay). 
e. Select another volume and continue until all of the volumes that AD users need access to 
are AD-enabled. 


For more information on the NSS Media upgrade options and processes, see “NSS Media Upgrade 
Commands” in the OES 2015 SP1: NSS File System Administration Guide for Linux. 


See also, “AD-enable the Volume” in the OES 2015 SP1: NSS File System Administration Guide for 
Linux. 


e 1. Review the information in Chapter 4, “Assigning NSS Trustee Rights for AD Users and 
Groups," on page 43 to ensure that you understand the trustee-assignment processes and the 
associated caveats, then continue with Step 2. 


2. Assess whether the OES User Rights Map utility (NURM) applies to your organization by 
considering the following questions: 


a. Do any of your AD users and groups have matching eDirectory accounts? 


If so, you can use the OES User Rights Map utility (NURM) to map the rights between 
eDirectory and Active Directory users and groups and then apply NSS trustee 
assignments based on the mapping. 


If not, skip to process 6. 


b. Do you use NetlQ Identity Manager 4.5 or later to coordinate identities and passwords 
between Active Directory and eDirectory, and do you have a user map that was created 
using IDM Designer? 


If so, NURM can leverage that map. 
If not, you can create a map using NURM. 


c. Do you want to consolidate your overlapping eDirectory and Active Directory accounts to 
only Active Directory? 


If so, you can have NURM delete the eDirectory trustee assignments. 
3. If applicable, run NURM to assign NSS trustee rights to your AD users. 


For more information, see Section 6.4, "NURM (OES User Rights Management)," on page 61. 


© 1. For AD users and groups who need NSS access and do not have matching eDirectory 
accounts, you can grant trustee assignments using either the NFARM Windows shell extension 
or the rights utility. 


2. Use other NSS tools to manage file and directory ownership, usage quotas and the other 
things that you manage for eDirectory users and groups. 


» 


For more information, see “OES File Access Rights Management (NFARM)”, "rights", 
"nsschown", and "nssquota" in the OES 2015 SP1: NSS File System Administration Guide for 
Linux. 
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Process Information and Links 


Go To access the AD enabled NSS volumes, do the following: 


* Ensure to create a forward lookup DNS entry for OES server where AD enabled NSS volumes 
are available. 

* Map the NSS volume with the complete DNS name of the OES server or host name (not with 
the IP address). 
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3.2 Upgrading to OES 2015 SP1 and Deploying NSS 
AD (Non-Clustered Environment) 


Figure 3-2 Upgrading to OES 2015 SP1 and Deploying NSS AD in a Non-Clustered Environment 
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Upgrading a Server and Deploying NSS AD 
(Non-Clustered Environment) 


[1] Upgrade the OES server to OES 2015 SP1. 


On the fully upgraded and patched server, run 
YaST and install the NSS AD Support module to: 


* Install NSS AD software 
* Join the AD Domain. 
* Setthe NIT UID range. 


Verify that the AD Domain and Kerberos are 


configured and working as expected. 


NSS-AD Media-upgrade targeted NSS32 Pools. 
(NSS64 pools are inherently upgraded.) 


o AD-enable targeted NSS Volumes. 


Provision NSS access for AD users who have 
matching eDir accounts by running NURM. 


Provision the remaining AD users by using 
NFARM or the rights utility. 


(8) Access AD-enabled NSS Volumes 


N—e-w 


Supported OES 2015 
previous releases SP1 


OES server AD Domain 


[A] ae 


Kerberos Active Directory 


| 


NSS32 Pools 


NSS Volumes 


eDirectory Active 
Or Directory 


& Susanne —»| à Susanne 
à Thomas a Thomas 
& Albert & Albert 


NSS Volumes 


Active 


Directory 


à Jose 
è Mia 
à Stephanie 


Client NSS Volumes 
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IMPORTANT: Before proceeding, ensure that you have met all the prerequisites specified in 
Section 2.2, “Meeting NSS AD Infrastructure Requirements,” on page 13. 


Table 3-2 Upgrading to OES 2015 SP1 and Deploying NSS AD 


Process Information and Links 


a5 Using the instructions in the installation guide, upgrade only one server in your tree at a time. 


IMPORTANT: When upgrading the OES server, if NSS AD pattern is selected, then any 
misconfiguration in joining the domain can result in upgrade failure. Hence, it is recommended not to 
install NSS AD Support as part of the upgrade process. 


For detailed instructions, see "Upgrading to OES 2015 SP1” in the OES 2015 SP1: Installation 
Guide. 
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Process Information and Links 


® 1. On the OES server, run YaST and when you reach the Software Selections screen, select the 
Novell Storage Service AD Support pattern. 
2. When you reach the YaST OES Patterns screen, select the Novell Storage Service AD 
Support pattern. 
Wi vast po ——— Er" 
Preparation ® Novell Storage Services AD Support Configuration 


» OES Configuration 


AD Domain Name 
| ACME.COM 


AD Supervisor Group 


[Domain Admins 
AD User Name 
| Administrator 


Password 
f 


Containerto create Computer Object 
| CN=Computers 


|] Use pre-created computer object 


Novell Identity Translator (NIT) Configuration 
X| Generate UIDs for AD users 
UID Range 
Start End 
[100000 +) [200000 + 


3. Specify the required details: 
+ AD Domain Name: Is the domain that the OES server is joining. 


* AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to 
this group will have supervisory rights for all the volumes associated with that OES server. 


* AD User Name: Specify an AD administrator or user with the following privileges required 
to join the domain: 


* Reset password 
* Create computer objects 
* Delete computer objects 
+ Read and write the msDs-supportedEncryptionTypes attribute. 
* Password: Is the password of the AD user who is used for the domain join operation. 


* Container to Create Computer Object: The container where the OES 2015 SP1 
computer object will live. 


If you have already created a computer object in Active Directory for the OES server, 
select Use pre-created computer object and include the object name in the 
specification. 


* Novell Identity Translator (NIT) Configuration: NIT manages UIDs as required for 
data access on a Linux server. For more information, see "Section 6.2, "NIT (Novell 
Identity Translator)," on page 50”. 


4. When you click Next, you should receive a message that The domain join is in 
progress. 


Installing and Configuring NSS AD Support 


32 


Process Information and Links 


e 1. Ensure that the OES computer object is created in the AD domain you specified. 


2. Verify that the default keytab entries for the OES server are created by entering the following 
command at the server's terminal prompt: 


klist -k 


For example: 


tsts 


rv:~/Desktop #klist -k 


Keytab name: FILE:/etc/krb5.keytab 


KVNO 


ND ND ND N D ND ND ND ND ND N 


2 
tsts 


Principal 

tstsrv$@ACME.COM 
tstsrv$@ACME.COM 
tstsrv$@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv@ACME.COM 
cifs/tstsrv@ACME.COM 
cifs/tstsrv@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
rv:-/Desktop # 


The 12 keytab entries represents the Service Principals of the OES server. 


3. You can also execute kinit -k «name of the OES server>$ to ensure that the OES 
server is joined to the AD domain successfully. 


For example, kinit -k tstsrv$ 


On successful execution of the above command, it does not display any output message and 
returns to terminal. 


4) 1. Media-upgrade the NSS32 pools that your AD users need access to. 


The following is a simple, GUI-driven method. 


a. 


b 
C 
d. 
e 


At a terminal prompt, enter nssmu. 


. Select Pools 


. Select a pool. 


Type g, then type Y(es) » O(kay). 


. Select another pool and continue until all of the NSS32 pools that AD users need access 


to are media-upgrated 


For more information on the NSS Media upgrade options and processes, see "NSS Media Upgrade 
Commands’ in the OES 2015 SP1: NSS File System Administration Guide for Linux. 
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Process 


o 


Information and Links 


1. 


AD-enable the NSS volumes that your AD users need access to. 


The following is a simple, GUI-driven method. 
a. Ata terminal prompt, enter nssmu. 
b. Select Volumes 
c. Select a volume. 
d. Type G, then type Y(es) > O(kay). 
e 


. Select another volume and continue until all of the volumes that AD users need access to 
are AD-enabled. 


For more information on the NSS Media upgrade options and processes, see "NSS Media Upgrade 
Commands’ in the OES 2015 SP1: NSS File System Administration Guide for Linux. 


See also, "AD-enable the Volume" in the OES 2015 SP1: NSS File System Administration Guide for 
Linux. 


1. 


3. 


Review the information in Chapter 4, "Assigning NSS Trustee Rights for AD Users and 
Groups," on page 43 to ensure that you understand the trustee-assignment processes and the 
associated caveats, then continue with Step 2. 


Assess whether the OES User Rights Map utility (NURM) applies to your organization by 
considering the following questions: 


a. Do any of your AD users and groups have matching eDirectory accounts? 


If so, you can use the OES User Rights Map utility (NURM) to map the rights between 
eDirectory and Active Directory users and groups and then apply NSS trustee 
assignments based on the mapping. 


If not, skip to process 7. 


b. Do you use NetlQ Identity Manager 4.5 or later to coordinate identities and passwords 
between Active Directory and eDirectory, and do you have a user map that was created 
using IDM Designer? 


If so, NURM can leverage that map. 
If not, you can create a map using NURM. 


c. Do you want to consolidate your overlapping eDirectory and Active Directory accounts to 
only Active Directory? 


If so, you can have NURM delete the eDirectory trustee assignments. 
If applicable, run NURM to assign NSS trustee rights to your AD users. 


For more information, see Section 6.4, "NURM (OES User Rights Management)," on page 61. 


1. 


For AD users and groups who need NSS access and do not have matching eDirectory 
accounts, you can grant trustee assignments using either the NFARM Windows shell extension 
or the rights utility. 


Use other NSS tools to manage file and directory ownership, usage quotas and the other 
things that you manage for eDirectory users and groups. 


» 


For more information, see “OES File Access Rights Management (NFARM)”, “rights”, 
"nsschown", and "nssquota" in the OES 2015 SP1: NSS File System Administration Guide for 
Linux. 
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Process Information and Links 


Cy To access the AD enabled NSS volumes, do the following: 


* Ensure to create a forward lookup DNS entry for OES server where AD enabled NSS volumes 
are available. 

* Map the NSS volume with the complete DNS name of the OES server or host name (not with 
the IP address). 
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3.3 Upgrading to OES 2015 SP1 and Deploying NSS 
AD (Clustered Environment) 


Figure 3-3 Upgrading to OES 2015 SP1 and Deploying NSS AD in a Clustered Environment 
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Upgrading a Server and Deploying NSS AD 
(Clustered Environment) 


(1) Upgrade a cluster node (OES server) to 


OES 2015 SP1. m—e9—ipy 


Supported OES 2015 
previous releases SP1 


o On the fully upgraded and patched cluster node, 
run YaST and install the NSS AD Support module to: 


+ Install NSS AD software 
+ Join the AD Domain. Cluster Node AD Domain 
+ Set the NIT UID range. A 


Repeat from Step 1 for all cluster nodes. 


© verify that the AD Domain and Kerberos are 
configured and working as expected. sigh 
Ss 


g 
O Join the NSS cluster pools to the AD Domain. ps Pool 


o NSS-AD Media-upgrade targeted NSS32 cluster Pools. 
(NSS64 cluster pools are inherently upgraded.) 


o AD-enable targeted NSS cluster Volumes. 


ERI Provision NSS access for AD users who have 
matching eDir accounts by running NURM. 


Oo Provision the remaining AD users by using 
NFARM or the rights utility. 


o Access AD-enabled NSS cluster Volumes 


NSS Cluster 
Volumes 
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IMPORTANT: Before proceeding, ensure that you have met all the prerequisites specified in 
Section 2.2, “Meeting NSS AD Infrastructure Requirements,” on page 13. 


Table 3-3 Upgrading to OES 2015 SP1 and Deploying NSS AD 


Process Information and Links 


aD 1. Using the instructions in the installation guide, upgrade only one cluster node in your tree at a 
time. 


IMPORTANT: When upgrading the OES server, if NSS AD pattern is selected, then any 
misconfiguration in joining the domain can result in upgrade failure. Hence, it is recommended 
not to install NSS AD Support as part of the upgrade process. 


For more information about upgrading OES 11 Clusters, see "Upgrading OES Clusters" in the OES 
2015 SP1: Novell Cluster Services for Linux Administration Guide. 


For more information about upgrading OES 2 SP3 clusters, see Upgrading Clusters from OES 2 
SP3 to OES 2015 SP1 in the OES 2015 SP1: Novell Cluster Services for Linux Administration 
Guide. 
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Process 


Information and Links 


1. On the cluster node (OES 2015 SP1 server), run YaST and when you reach the Software 
Selections screen, select the Novell Storage Service AD Support pattern. 


m 
à YaST 


—— — SES 


Prepi 


» ol 


aration % Novell Storage Services AD Support Configuration 


ES Configuration 


AD Domain Name 
[ACME.COM 


AD Supervisor Group 
| Domain Admins 
AD User Name 

| Administrator 


Password 
| 
Container to create Computer Object 
| CN=Computers 
Use pre-created computer object 


Novell Identity Translator (NIT) Configuration 
x] Generate UIDs for AD users 

-UID Range 
Start End 


[100000 [$ [200000 zi 


Help Abort Back 


2. Spec 
* 


* 


ify the following details: 
AD Domain Name: The AD domain that the OES server is joining. 


AD Supervisor Group: Is the AD supervisor group name. The AD users belonging to 
this group will have supervisory rights for all the volumes associated with that OES server. 


AD User Name: Specify an AD administrator or user with the following privileges required 
to join the domain: 


* Reset password 
* Create computer objects 
* Delete computer objects 
+ Read and write the msDs-supportedEncryptionTypes attribute. 
Password: Is the password of the AD user who is used for the domain join operation. 


Container to Create Computer Object: The container where the OES 2015 SP1 
computer object either has been or will be created. 


If you have already created a computer object in Active Directory for the OES server, 
select Use pre-created computer object. 


Novell Identity Translator (NIT) Configuration: NIT generates UIDs as required for 
anyone accessing data on a Linux server. For more information on NIT, see "Section 6.2, 
"NIT (Novell Identity Translator)," on page 50". 


If you want NIT to generate UIDs for AD users, select Generate UID for AD users, then 
specify the UID range. If you want NIT to retrieve UIDs from Active Directory, do not 
select the Generate UID for AD users option. 


For more information about this option, see "Table 6-2 on page 52." 


3. When you click Next, the server/node is joined to the AD domain. 


For more information about joining cluster nodes to the AD domain, see “Joining the Cluster 
Node to an Active Directory Domain" in the OES 2015 SP1: Novell Cluster Services for Linux 
Administration Guide. 
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Process 


Information and Links 


Verify the AD domain and Kerberos is configured and working in all the cluster nodes. 


1. 


Ensure that the OES computer object is created in the AD domain you specified. 


2. Verify that the default keytab entries for the OES server are created by entering the following 


command at the server’s terminal prompt: 
klist -k 


For example: 


tstsrv:~/Desktop #klist -k 
Keytab name: FILE:/etc/krb5.keytab 
KVNO Principal 
tstsrv$@ACME.COM 
tstsrv$@ACME.COM 
tstsrv$QACME. COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv.acme.com@ACME.COM 
cifs/tstsrv@ACME.COM 
cifs/tstsrv@ACME.COM 
cifs/tstsrv@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
host/tstsrv.acme.com@ACME.COM 
2 host/tstsrv.acme.com@ACME.COM 
tstsrv:-/Desktop # 


N ND NN D ND ND ND ND NN N 


The 12 keytab entries represents the Service Principals of the OES server. 


You can also execute kinit -k <name of the OES server>$ to ensure that the OES 
server is joined to the AD domain successfully. 


For example, kinit -k tstsrv$ 
On successful execution of the above command, it does not display any output message and 
returns to terminal. 


Ensure that CIFS is chosen as the advertizing protocol for the cluster resource. NSS resource 
access for AD users happens only through the CIFS protocol. 


For more information, see “Adding Advertising Protocols for NSS Pool Cluster Resources” in 
the OES 2015 SP1: Novell Cluster Services for Linux Administration Guide. 


Join the cluster pool to the AD domain by following the instructions in “Joining Cluster Pools to 
the AD Domain" in the OES 2015 SP1: NSS File System Administration Guide for Linux or 
“Joining the Cluster Resource to an Active Directory Domain" in the OES 2015 SP1: Novell 
Cluster Services for Linux Administration Guide. 


You can also use the following tools: 


* The novell-ad-util CLI tool for joining the domain. See Section 6.3.1, “novell-ad-util 
Command Line Utility," on page 57. 


* NSSMU. See "NSS Management Utility (NSSMU) Quick Reference" in the OES 2015 
SP1: NSS File System Administration Guide for Linux. 


Verify the Service Principal Names and computer objects by completing the steps in “Verifying 
the Service Principals and Computer Objects" in the OES 2015 SP1: Novell Cluster Services 
for Linux Administration Guide. 
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Process Information and Links 


© 1. Media-upgrade your NSS32 cluster pools that your AD users need access to. 


The following is a simple, GUI-driven method. 


a. 


b 
c. 
d 
e 


At a terminal prompt, enter nssmu. 


. Select Pools 


Select a pool. 


. Type g, then type Y(es) > O(kay). 
. Select another pool and continue until all of the NSS32 cluster pools that AD users need 


access to are media-upgraded 


For more information on the NSS Media upgrade options and processes, see "NSS Media Upgrade 
Commands" and "Upgrading the NSS Media Format” in the OES 2015 SP1: NSS File System 
Administration Guide for Linux. 


Ó 1. AD-enable the NSS volumes that your AD users need access to. 


The following is a simple, GUI-driven method. 


a. 


At a terminal prompt, enter nssmu. 


b. Select Volumes 
c. Select a volume. 
d. 
e 


. Select another volume and continue until all of the volumes that AD users need access to 


Type G, then type Y(es) » O(kay). 


are AD-enabled. 


For more information on the NSS Media upgrade options and processes, see "NSS Media Upgrade 
Commands’ in the OES 2015 SP1: NSS File System Administration Guide for Linux. 


See also, "AD-enable the Volume" and "Volume AD-enabling"in the OES 2015 SP1: NSS File 
System Administration Guide for Linux. 


Co 1. Review the information in Chapter 4, “Assigning NSS Trustee Rights for AD Users and 
Groups," on page 43 to ensure that you understand the trustee-assignment processes and the 
associated caveats, then continue with Step 2. 


2. Assess whether the OES User Rights Map utility (NURM) applies to your organization by 
considering the following questions: 


a. 


Do any of your AD users and groups have matching eDirectory accounts? 


If so, you can use the OES User Rights Map utility (NURM) to map the rights between 
eDirectory and Active Directory users and groups and then apply NSS trustee 
assignments based on the mapping. 


If not, skip to process 8. 


Do you use NetlQ Identity Manager 4.5 or later to coordinate identities and passwords 
between Active Directory and eDirectory, and do you have a user map that was created 
using IDM Designer? 


If so, NURM can leverage that map. 
If not, you can create a map using NURM. 


Do you want to consolidate your overlapping eDirectory and Active Directory accounts to 
only Active Directory? 


If so, you can have NURM delete the eDirectory trustee assignments. 


3. If applicable, run NURM to assign NSS trustee rights to your AD users. 


For more information, see Section 6.4, "NURM (OES User Rights Management)," on page 61. 
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Process Information and Links 


O 1. For AD users and groups who need NSS access and do not have matching eDirectory 
accounts, you can grant trustee assignments using either the NFARM Windows shell extension 


or the rights utility. 

2. Use other NSS tools to manage file and directory ownership, usage quotas and the other 
things that you manage for eDirectory users and groups. 
For more information, see “OES File Access Rights Management (NFARM}”, “rights”, 
"nsschown", and "nssquota" in the OES 2015 SP1: NSS File System Administration Guide for 
Linux. 


Q To access the AD enabled NSS cluster volumes, do the following: 


+ Ensure to create a forward lookup DNS entry for netbios name of the cluster resource. 


+ Map the NSS cluster volumes with the complete DNS name created for the cluster resource or 
with the short name of the netbios name of cluster resource (not with the IP address). 


3.4 Leave a AD Domain 


Use novell-ad-util to disjoin an OES server from the AD domain. Using YaST or NSSMU, you 
cannot disjoin from the AD domain. 


To disjoin the OES host from the Active Directory domain, execute the following: 
1. kinit Administrator@EXAMPLE.COM 


Authenticates the administrator with the AD server, where "Administrator" is the domain admin or 
user with the sufficient rights and "EXAMPLE.COM'" is the AD domain. 


2. novell-ad-util --leave-domain --domain-name EXAMPLE.COM 
To disjoin a cluster resource from the Active Directory domain, execute the following: 
1. kinit Administrator@EXAMPLE.COM 


Authenticates the administrator with the AD server, where "Administrator" is the domain admin or 
user with the sufficient rights and "EXAMPLE.COM'" is the AD domain. 


2. Run the following command on the node where the cluster resource is currently running. 


novell-ad-util --leave-domain --cluster-resource .cn=CLUSTER-0ES2015- 
POOLSERVER.o=novell.t=NSSAD CLUSTER. --domain-name EXAMPLE.COM 


3. Run the following command on all the cluster nodes except the node where step 2 is performed. 


novell-ad-util --purge © --cluster-resource .cn-CLUSTER-OES2015- 
POOLSERVER.Ooznovell.tzNSSAD CLUSTER. 


Removes all the keytab entries of the cluster resource specified in the default keytab file. 


Verifying the Domain Leave 
To ensure that the domain leave is successful, verify the following: 


1. Computer objects in AD domain representing the OES host and cluster resources are removed. 
2. Keytab entries are removed from /etc/krb5.keytab. 
* klist -k | grep «netbios name of OES host» 
It should be empty after the OES host leaves the domain. 
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3.5 


3.6 


* klist -k | grep <netbios name of a cluster resource» 
Execute this command from all the cluster nodes. It should be empty after the cluster 
resource leaves the domain. 


If AD domain leave still fails, see Section 7.2, "Domain Leave Fails Using the novell-ad-util,” on 
page 89. 


Reconfiguring NSS AD 


If the OES host server or cluster resource is already joined to an AD domain and you need to join the 
same OES host server or the cluster resource to a different AD domain, then you need to reconfigure 
NSS AD using YaST. 


Before reconfiguring NSS AD, ensure to leave the AD domain. For more information, see "Leave a 
AD Domain" on page 41. 


After leaving the AD domain, perform the following to reconfigure NSS AD: 
1 Ensure that the AD requirements are met before reconfiguring the NSS AD. For more 
information, see "Meeting NSS AD Infrastructure Requirements" on page 13. 


2 Join to a AD domain. The AD domain can be the domain that was joined earlier or a different AD 
domain. For more information, see step 2, step 3 and step 4 of process 1 and process 2 in the 
Table 3-1 on page 23. 


Renaming the Netbios Name of OES Host or 
Cluster Resource 


To rename the netbios name of a OES host or a cluster resource, perform the following: 


1 Leave the domain. For more information, see “Leave a AD Domain" on page 41. 


2 Using iManager, rename the netbios name also known as CIFS Virtual Server Name. For more 
information, see Setting CIFS General Server Parameters in the OES 2015 SP1: Novell CIFS for 
Linux Administration Guide. 


3 Reconfigure NSS AD. For more information, see “Reconfiguring NSS AD" on page 42. 
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4.1 


Assigning NSS Trustee Rights for AD 
Users and Groups 


* Section 4.1, "Overview of the Provisioning Process," on page 43 
+ Section 4.2, “NURM Provisioning Caveats,” on page 44 


Overview of the Provisioning Process 


Novell provides a number of tools to help you provision your AD users and groups for NSS access. 
Figure 4-1 provides a high-level overview of the provisioning process. 


Figure 4-1 Provisioning AD User and Groups for NSS Access 
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Table 4-1 Upgrading to OES 2015 SP1 and Deploying NSS AD 


Step Information and Links 
ep + |f you have NetIQ IDM 4.5 or later, and you have created an Active Directory to eDirectory user 
map using IDM Designer (not the IDM iManager plug-in), the User Resource Map utility 


(NURM) can leverage the map for replicating NSS ACLS for eDirectory users and groups to 
NSS ACLs for corresponding AD users and groups. 


Select the IDM option to use a map file in eDirectory. 


IMPORTANT: Ensure that the eDirectory user entered in NURM has access to the DirXML - 
ADContext attribute in eDirectory from the administrative workstation where you will run 
NURM. 


* |f you don't have an applicable Active Directory to eDirectory user map, NURM helps you 
create one. 


* 


After you have verified the user map and the rights to be assigned to the users and groups, you 
can apply the rights to the selected NSS volume. 


* 


To enable AD users and groups that don't have corresponding eDirectory accounts, you can 
use the rights CLI command at the server's terminal prompt. 


+ You can also use the NFARM Windows shell extension to assign NSS trustee rights to AD 
users and groups. 


o000 
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+ Section 4.2.1, “Manager Created NetIQ IDM Map Files Do Not Work with NURM,” on page 44 


¢ Section 4.2.2, "NURM eDirectory User Must Have a CIFS Universal Password Policy,” on 
page 44 


42.4 iManager Created NetlQ IDM Map Files Do Not Work with 
NURM 


To use an IDM-created user map, NURM requires that the map be located in the DirXML-ADContext 
attribute in eDirectory. 


IDM Designer stores the map in the DirXML-ADContext attribute; the IDM iManager plug-in does not. 


For more information on creating the IDM drivers using IDM Designer, see Creating the Driver in 
Designer in the NetIQ Driver for Active Directory Implementation Guide. 


42.2 NURM eDirectory User Must Have a CIFS Universal 
Password Policy 


The eDirectory user that you specify in the NURM dialog must have the same universal password 
policy assigned as your eDirectory CIFS users. 


IMPORTANT: This applies to the eDirectory Admin and any container admins you might choose to 
specify when running NURM. 
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Managing NSS AD 


Table 5-1 outlines tools and tips for different the management areas associated with NSS AD 
Support. 


Table 5-1 Managing NSS AD Support 


Subject Tools and Tips 


AD Administrator Supervision of * Members of the Domain Admins group in the domain that a OES 
AD-enabled Volumes: server joins, have supervisory rights for all the AD-enabled volumes 
associated with that server. 


* To change the supervisor group for a server, enter the following 
command at the server's terminal prompt: 


nitconfig set ad-supervisor-group-AD-group-name 


Consolidate Storage to NSS * |f your eDirectory users access NSS, your Active Directory users 
access NTFS, and you want to consolidate your storage on NSS, 
you can retain both identity sources and use NFARM to manage the 
trustee rights and quotas of AD users. 


* You can also use the NSS rights and quota utilities to manage the 
rights and quotas of AD users and groups. 


* You can continue to use both eDirectory and Active Directory as is, 
or you can consolidate all identities to Active Directory and continue 
to use the NSS file system. 


Mass ACL Assignment * OES User Rights Management (NURM) 
Move and Split AD-enabled * Distributed File Services iManager plug-in 
Volumes 


see "Guidelines for Moving or Splitting NSS Volumes" and "Active 
Directory Environment" in the OES 2015 SP1: Novell Distributed File 
Services Administration Guide for Linux. 


NSS * iManager 
Media-upgrade an NSS32 pool at the time of pool creation. 


AD-enable a volume during or after volume creation. 
* NRM 

Manage DST Policies, primary and secondary volumes, and so on. 
* NSSMU 

Media-upgrade existing NSS32 pools. 

AD-enable existing volumes. 
* NLVM 

Specify the pool type as NSS64 or NSS32 (default). 


Force the creation of a 64-bit pool in a cluster with pre-OES 2015 
servers. 


Display all size outputs in a specified human-readable format. 
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Subject 


Quotas 


Tools and Tips 
For AD Users and Groups 
* OES File Access and Rights Management (NFARM) 


See Section 6.5.4, “Managing the Trustee Rights in the NSS File 
System,” on page 73 
* quota utility 


See "nssquota" in the OES 2015 SP1: NSS File System 
Administration Guide for Linux 


For eDirectory Users and Groups 
* iManager 
* quota utility 


See "nssquota" in the OES 2015 SP1: NSS File System 
Administration Guide for Linux 


AD User Access 


Managing NSS AD 


Single Forest Environment 


To restrict NSS resource access for Active Directory users and groups in a 
single AD forest environment: 
1. Create a universal group anywhere in the AD forest 
2. Specify its sAMAccountName as 
OESAccessGrp 


Only the members of this group will have NSS resource access based on 
their trustees assignments. 


If this group does not exist, all Active Directory users and groups in the 
forest can access the NSS resources based on their trustee assignments. 


Only one OESAccessGrp universal group can be created for an AD forest. 
Multi-Forest Environment 


To allow NSS resource access for Active Directory users and groups in 
Multi-forest environment: 


1. Create a Domain Local Group (DLG) in the AD domain to which OES 
server is joined. 

2. Specify its sAMAccountName as 
DLOESAccessGrp 


Only the members of this group (OES forest and across forest) has 
access to NSS resources based on their trustees assignments. 


In absence of this group, the AD users across the forest cannot access the 
NSS resources. 


NOTE: If both OESAccessGrp and DLOESAccessGrp groups are present 
in the AD domain, the DLOESAccessGrp takes priority for that domain. 
Therefore, only the members of DLOESAccessGrp group has access to 
NSS resources based on their trustees assignments. 


Subject 


Trustee Rights on AD-enabled 
NSS Volumes 


UIDs for Linux Access 


Tools and Tips 
For AD Users and Groups 
* OES File Access and Rights Management (NFARM) 
* rights utility 
For eDirectory Users and Groups 
* iManager 
* rights utility 
* Novell Client for Windows and Linux 
For information, see 


* Section 6.5.4, "Managing the Trustee Rights in the NSS File 
System," on page 73) 

* “rights” in the OES 2015 SP1: NSS File System Administration Guide 
for Linux). 


+ Use the nitconfig tool to configure the Novell Identity Translator 
(NIT) to manage UIDs for both eDirectory and Active Directory users 


See "Section 6.2, "NIT (Novell Identity Translator)," on page 50". 


Users and Groups 


AD Users and Groups 


* Use native AD tools, such as the Microsoft Management Console 
(MMC) 


eDirectory Users and Groups 


+ Use iManager 
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6.1 


NSS AD Utilities and Tools 


This section describes the software and tools for managing NSS AD. 


* 


* 


* 


* 


* 


* 


Section 6.1, “List of NSS AD Supported Tools,” on page 49 

Section 6.2, “NIT (Novell Identity Translator)," on page 50 

Section 6.3, "novell-ad-util," on page 57 

Section 6.4, “NURM (OES User Rights Management)," on page 61 

Section 6.5, "NFARM (OES File Access Rights Management)," on page 71 
Section 6.6, “FTP (Pure-FTPd) and OES 2015 SP1 for AD Users,” on page 82 


List of NSS AD Supported Tools 


The following tools are either new or enhanced to manage NSS AD Support in OES 2015 or later. A 
brief description of the NSS AD functionality follows each tool name. 


* 


* 


Auditing Client Logger (VLOG): Audit all file operations of AD users. For more information, 
see OES 2015 SP1: NSS Auditing Client Logger (VLOG) Utility Reference. 


iManager: Use the Storage plug-in to manage AD support on NSS pools and volumes. 


NOTE: iManager cannot be used to manage AD users and groups or their trustee rights on NSS 
resources. 


For more information, see "Novell iManager and Storage-Related Plug-Ins" in the OES 2015 
SP1: NSS File System Administration Guide for Linux. 


metamig: Save and restore NSS file system trustee, user quota, and directory quota metadata 
for AD trustees. 


For more information, see "Novell iManager and Storage-Related Plug-Ins" in the OES 2015 
SP1: NSS File System Administration Guide for Linux. 


nBackup: Back up and restore the NSS AD data and metadata. 


NOTE: The nbackup utility can be run only as an eDirectory user. Active Directory users cannot 
run this utility. 


For more information, see "Backup Applications" in the OES 2015 SP1: Storage Management 
Services Administration Guide for Linux. 


nitconfig: Specify and configure how the Novell Identity Translator (NIT) handles UID 
assignments for Active Directory users and groups. 


For more information, see Section 6.2, "NIT (Novell Identity Translator)," on page 50. 


OES User Rights Map (NURM): Apply the NSS trustee rights of eDirectory users, groups, and 
containers to Active Directory users and groups. The basic process is as follows: 


1. Create a proposed mapping between the eDirectory to Active Directory objects using a 
common name or other fields. 
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2. If needed, modify the proposed mapping and then save it. 
3. Apply the mapping to assign rights to corresponding AD users. 
For more information, see Section 6.4, “NURM (OES User Rights Management),” on page 61. 


* OES Files Access and Rights Management (NFARM): Manage the rights and quotas of AD 
users or groups on Novell Storage Services (NSS) resources. 


For more information, see Section 6.5, “NFARM (OES File Access Rights Management),” on 
page 71. 


+ NRM: Manage AD user connections and open files, and generate inventory reports for AD users. 
For more information, see OES 2015 SP1: Novell Remote Manager Administration Guide. 


* NSSCON: Using new NSS commands, upgrade NSS pool media to support Active Directory, 
AD-enabling NSS volumes, and so on. 


For more information, see the pool and volume sections in “NSS Commands" in the OES 2015 
SP1: NSS File System Administration Guide for Linux. 


* NSS Rights Utility: Specify NSS trustee rights for AD users and groups. 


The trustee information is saved in the file and directory metadata on the NSS volume and works 
seamlessly with NetWare if the volume is moved to a NetWare server. 


For more information, see “rights” in the OES 2015 SP1: NSS File System Administration Guide 
for Linux. 


* NSS Quota (nssquota) Utility: Set, get, or clear the AD user and group quotas on NSS 
volumes and files. 


For more information, see "nssquota" in the OES 2015 SP1: NSS File System Administration 
Guide for Linux. 


* NSS Change Owner (nsschown) Utility: Manage ownership of NSS resources for AD users. 


For more information, see “nsschown” in the OES 2015 SP1: NSS File System Administration 
Guide for Linux. 


* NSSMU Utility: Update NSS pools to support AD and AD-enabled NSS volumes. 


For more information, see “NSS Management Utility (NSSMU) Quick Reference" in the OES 
2015 SP1: NSS File System Administration Guide for Linux. 


6.2 NIT (Novell Identity Translator) 


The Novell Identity Translator (NIT) is a new service introduced in OES 2015 as explained in the 
following sections: 
+ Section 6.2.1, “A New NSS Authorization Model," on page 51 
* Section 6.2.2, “Not All Users Have UIDs by Default,” on page 51 
* Section 6.2.3, "Ensuring that Your CIFS-NSS Users Have UIDs,” on page 51 
* Section 6.2.4, “Which OES Components Rely on NIT,” on page 52 
+ Section 6.2.5, “What NIT Does,” on page 52 
+ Section 6.2.6, “Prerequisites,” on page 52 
+ Section 6.2.7, “NIT Components," on page 53 
+ Section 6.2.8, “NIT Log Files," on page 53 
+ Section 6.2.9, “Interactions With eDirectory and Active Directory," on page 53 
+ Section 6.2.10, “How NIT Works," on page 54 


50 NSS AD Utilities and Tools 


6.2.1 


6.2.2 


6.2.3 


* Section 6.2.11, “Active Directory users:,” on page 54 

* Section 6.2.12, “eDirectory users:,” on page 55 

+ Section 6.2.13, “Task FAQ,” on page 55 

+ Section 6.2.14, “Administrative Access Restrictions,” on page 56 
+ Section 6.2.15, “Performance and Tuning,” on page 56 

¢ Section 6.2.16, “Limitations,” on page 57 


A New NSS Authorization Model 


Beginning with OES 2015, a new authorization model has been included for CIFS-user access to 
NSS volumes. 


The new model requires that eDirectory and Active Directory (AD) users all have unique User IDs 
(UIDs). 


Not All Users Have UIDs by Default 


¢ eDirectory: LUM-enabled eDirectory users have UIDs; non-LUM-enabled eDirectory users do 
not. 


* Active Directory: Generally speaking, AD users don't have UIDs, but AD can be configured to 
assign the uidNumber attribute to users when required. 


Ensuring that Your CIFS-NSS Users Have UIDs 


The Novell Identity Translator (NIT) lets you ensure that all users requiring NSS authorization have 
the required UIDs. 


* eDirectory: When NIT is properly configured, all eDirectory users can access NSS using Novell 
CIFS, as summarized in Table 6-1. 


Table 6-1 NIT Guarantees UIDs for All eDirectory Users 


User UID Status in eDirectory What NIT Does 
LUM-enabled user Retrieves the UID from eDirectory 
Non-LUM-enabled user Generates a UID within the specified UID range 


* Active Directory: If needed, you can configure NIT to simply retrieve and pass along UIDs that 
are set in Active Directory by deselecting the Generate UIDs for AD Users option when you 
Configure the NSS AD Support service. However, you must then ensure that all AD users who 
need access to NSS through CIFS have the uidNumber attribute set on their AD account. The 
caveats associated with the Generate UIDs for AD Users option are summarized in Table 6-2. 
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Table 6-2 NIT Can Guarantee UIDs for Active Directory Users 


UIDs in Active Directory Generate UIDs for AD Users What NIT Does 

Option Status 
The uidNumber attribute is set for Enabled Generates UIDs within the 
some or all AD users. specified UID range for all AD 


users needing NSS access. 
Those users have a UID number 


in Active Directory. The uidNumber attribute in Active 
Directory is ignored. 


Disabled Retrieves the uidNUmber from 
Active Directory when available. 


Users without a uidNumber 
cannot access NSS. 


The uidNumber attribute is not Enabled Generates UIDs within the 
set for any AD users. specified UID range for all AD 


users needing NSS access. 
No AD users have a UID number 


in Active Directory Disabled No users can access NSS 
because none of them has a UID. 


624 Which OES Components Rely on NIT 


NIT is used as an infrastructure component by various OES services, including Novell CIFS, NSS, 
and SMS. 


6.2.5 What NIT Does 


NIT does the following: 


* 


Dynamically generates UIDs for non-LUM-enabled eDirectory users so that they can access 
NSS resources on Linux. 


As specified in the nitd.conf file, either retrieves or dynamically generates UIDs for Active 
Directory users so that they can access NSS resources on Linux. 


Provides user and group IDs and other details such as SID, samAccountName, GUID for AD 
identities and FQDN, GUID details for eDirectory identities to services like NSS, CIFS, and SMS. 


Is backward-compatible and co-exists with Linux User Management (LUM). 


Maintains all of the users information in an AD forest where the OES server's computer object is 
located. 


Ensures uniqueness of User IDs for all the users across eDirectory and Active Directory users 
and groups accessing an OES server. 


NOTE: The UIDs distributed by NIT are server-specific. They are not stored in eDirectory or 
Active Directory, and they are not visible to Linux services. 


6.2.6 Prerequisites 


The following are required for NIT to service Active Directory users and groups: 
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6.2.7 


6.2.8 


6.2.9 


DNS 


* Domain Controller and Global Catalog Server Discovery: DNS entries for all the Domain 
Controllers and Global Catalog Servers must exist in order for NIT to detect which of them are 
closest and then retrieve the required AD user information. Ensure to provide the complete DNS 
name of the OES CIFS server. 


+ SRV Records: The DNS should contain the SRV entries for the Domain Controllers, Global 
Catalog servers and KDC servers in the OES joined forest and other trusted forests. 


Kerberos 


For external forest trusts, “Kerberos Forest Search Order (KFSO)” should be enabled for Windows 
clients to connect an OES CIFS server. For more information, see Configuring AD Server to Support 
Kerberos Authentication for External Forest Users Using CIFS Client in the OES 2015 SP1: Novell 
CIFS for Linux Administration Guide. 


NIT Components 


NIT contains the following components: 
* nit daemon: Serves requests from CIFS, NSS, SMS, and other OES services to map and 
resolve eDirectory and Active Directory user identities as applicable. 


¢ nitconfig utility: Lets administrators configure NIT in a terminal prompt by adding and modifying 
configuration parameters. The nitconfig utility changes the /etc/opt/novell/nit/ 
nitd.conf file based on the parameters entered. 


¢ NIT configuration file: /etc/opt/novell/nit/nitd.conf. 


Each entry occupies a single line in the file. Lines that are blank, or that start with a pound sign 
(#), are ignored. 


IMPORTANT: If you change the NIT UID range, either manually or using the nitconfig utility, 
you must restart the server. 


NIT Log Files 


NIT actions are logged in the following locations: 
* NIT log: /var/log/messages 
You can change the default by entering the following command at a terminal prompt: 


nitconfig set log-file-location=path 


+ nitconfig log file: /var/opt/novell/log/nit/nitconfig.log 


Interactions With eDirectory and Active Directory 


NIT interacts with LUM, NCP, the AD Global Catalog Server, and Domain Controllers to retrieve and 
map user information. 
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6.2.10 How NIT Works 


Figure 6-1 NIT - overview 
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NIT supports two identity stores: 


* Active Directory 


and 
* eDirectory 


NIT can run in two modes: 


+ Support only eDirectory 
+ Support eDirectory and Active Directory 


You can configure this through nitconfig by changing the value of ad -mode parameter. If you set the 
value to yes, then NIT supports eDirectory and Active Directory. If you set it to no, then NIT supports 
only eDirectory. 


6.2.11 Active Directory users: 


For Active Directory users, NIT can be configured to run in one of two modes: 


* Generate Mode: NIT generates and uses its own UID numbers. Even if the Active Directory 
users have the UID numbers populated, those are not used by NIT. 


or 


* Fetch Mode: NIT only retrieves UID numbers that are available in Active Directory. If a UID is 
not set for a particular user, that user cannot access NSS resources. 
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6.2.12 


6.2.13 


If you are configuring NIT in fetch mode for Active Directory users, ensure that the Active 
Directory users who require access to NSS file systems have UID numbers set in Active 
Directory. 


You must add the uidNumber attribute explicitly to the Global Catalog server because it is not 
part of the default attributes. 


For more information about replicating UID numbers to the Global Catalog server, refer to the 
Microsoft Knowledge Base (http://support.microsoft.com/kb/2487 17). 


By default, NIT runs in generate mode where UID numbers are dynamically generated for Active 
Directory users within the range that you specify in the NIT configuration. 


eDirectory users: 


For eDirectory LUM-enabled users, NIT obtains the UID number that is already available in 
eDirectory. NIT automatically creates UIDs for non-LUM-enabled users from the UID range that you 
specify either directly in nitd.conf or through the nitconfig utility. 


Task FAQ 


How do I set UID ranges? 
You can set the UID ranges through YaST as part of the OES installation. 


You can also set and manage UID ranges using the nitconfig utility after the NIT service is 
configured as part of OES installation. 


How do l estimate UID ranges? 


Estimate the number of users who might access the server, and then set a UID range that is double 
that number. Ensure that these ranges do not overlap with the LUM ranges and Linux UID ranges, if 
present. 


How long are UIDs valid? 


The UIDs are valid until the OES system is rebooted. However, the UIDs are retained when the NIT 
service restarts. 


Are the UIDs unique? 


UIDs generated are unique within each server's environment, including the Identity stores (eDirectory 
and Active Directory) and the local file systems (both Linux and POSIX). 


What happens if a cluster resource is moved? 


When a cluster resource is mounted on a different cluster node, UIDs are automatically generated for 
new user connections on the new node. UID management and generation is specific to each cluster 
node (OES 2015 SP1 server). There is no NIT configuration or activity at the cluster level. 


How do I manage NIT? 
To start, stop, and restart the NIT service, use these command options: 
rcnovell-nit status | stop | start | restart 


To configure and change NIT settings, use the nitconfig utility. 


IMPORTANT: If you change the NIT UID range, you must restart the server. 
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6.2.14 


6.2.15 


What is cache and SQLite DB? 


NIT stores eDirectory and Active Directory user information, GUID to UID mapping information and 
SID to GUID mapping information in non-persistent in-memory cache. 


NIT stores GUID to UID (UIDs generated by NIT for non LUM-enabled eDirectory and Active 
Directory users) mapping information in /var/opt/novell/nit/db/.g i info SQLite DB file, and 
SID to GUID mapping information in /var/opt/novell/nit/db/.s g info SQLite DB file. The 
information stored in SQLite DB files are persistent across NIT restarts. 


On a server reboot, the in-memory cache information is cleared and the .g i info SQLite DB file is 
deleted. 


When the NIT daemon is restarted, the in-memory cache is cleared and NIT rebuilds GUID to UID 
mapping information and SID to GUID mapping information into cache by reading from the SQLite DB 
files. 


In addition, only the user information in the in-memory cache is cleared once in 8 hours and the GUID 
to UID and SID to GUID mapping information remain unaltered. 


Administrative Access Restrictions 


When an OES server is joined to an Active Directory domain, by default, members of the Domain 
Admins group will have Supervisor rights over all the volumes that are enabled with Active Directory 
identities flag. 


You can override this default functionality by configuring a group of your choice. Because the group 
has full control over the Active Directory enabled volumes, add users with caution. 


If NIT could not identify the configured group from Active Directory, it falls back to the default 
behavior. 


Whenever you change the Active Directory supervisor group, do the following: 
1 Restart the NIT daemon by running the rcnovell-nit restart command at the terminal 
console. 


2 Restart the CIFS service by running the rcnovell-cifs restart command at the terminal 
console. 


3 Force the SEV update to occur immediately for all users in the NSS file system by running the 
nss /ForceSecurityEquivalenceUpdate command at the nsscon prompt. 


Performance and Tuning 


* ad-gc-handles: NIT interacts with the Global Catalog servers to fetch Active Directory user and 
group information. By default, NIT establishes 10 connections with the GC server. Based on the 
number of users, increase this number to improve the file access response time. 


* hash-size: NIT caches eDirectory and Active Directory user information in hash tables. By 
default, the size is configured to 211. This can be increased to a maximum of 1:10. For example, 
for 20,000 users the hash size will be a prime number close to 2048. 


NIT stores the user cache information in the following SQLite DB files: /var/opt/novell/nit/ 
db/.g i infoand /var/opt/novell/nit/db/.s g info. 


* UID Start and End Range: Changing the UID start and end ranges requires a system reboot. 
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6.3 


6.3.1 


Limitations 


NIT can dynamically detect the nearest domain controllers and Global Catalog servers. But if the 
OES-joined domain does not have any GC server within that domain, the IP address or DNS name of 
the nearest GC server should be specified in ad-gcserver and the ad-gc-discover set to false. 


novell-ad-util 


The Novell AD Utility (novell-ad-util) lets you do the following: 


* Join an OES server/cluster node or a Novell cluster resource to an AD domain. 
* Remove an OES server/cluster node or cluster resource from an AD domain. 


* Manage the Kerberos keytab files of OES servers/cluster nodes and cluster resources as 
required for authentication within the domain. 


The YaST installation component that lets you join an OES server/cluster node to an AD domain as 
part of configuring NSS AD support, leverages novell-ad-util in the background. 


novell-ad-util Command Line Utility 


novell-ad-utiljoins an OES server/cluster node or a Novell cluster resource to an AD domain, and 
manages the Kerberos keytabs of those components. 


Syntax 


novell-ad-util «activity» «optional parameters» 
Usage Options 


Primary Activity 
--join 
Joins the current host or cluster resource to the Active Directory domain. 


--leave-domain 


Disjoins the current host or cluster resource from the Active Directory domain by deleting the 
computer object from AD and flushes all entries from the keytab, including samAccountName. 


NOTE: To execute the - - join or --leave-domain commands, the user's Credential Cache 
should have sufficient rights to create or delete an object in Active Directory. 


--validate-container 


Checks if the container exists in the domain specified. It must be followed by the --context 
option. 


--flush-keytab 
Flushes all the entries from the keytab except samAccountName entries. 


--purge <number> 
Purges the keytab entries, retaining only the last specified number of key versions. 
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If this command is executed without the --cluster-resource option, key tab entries of the host 
are purged. 


If this command is executed with --cluster-resource option, key tab entries of the cluster 
resource are purged. 

--reset 
Resets the password, adds service principals if any, and updates all the corresponding entries in 
the keytab. 

--getrinfo 
Fetches the NetBIOS name of the cluster resource and the domain name where the cluster 
resource should join. It must be followed by the --cluster-resource option. 

--online 
This command is used for cluster resources. It must be followed by the --cluster-resource 
option. This command will merge the keys residing in the keytab files of the volumes with the 
default keytab of the node. 

--offline 


This is used generally for cluster resources. Must be followed by the - -cluster-resource 
option. When a cluster resource goes offline in a node during migration, this command will copy 
all they keys related to the cluster resource to all the available volumes' keytab from the node's 
default keytab. 


Optional Parameters 


--service-principal «service name» 
Creates a service principal for the associated account. For example, «service name»/ 
«hostname». «domain name»(0 «DOMAIN NAME?. 

--domain-name <name> 
Use the domain name specified instead of parsing the krb5 file to retrieve the domain name. 


--context 
Allows you to join your machine to a specific context of Active Directory (Default is 
CN=Computers.) 

--pre-created-object [yes/no] 
Allows you to join your machine to a pre-created computer object in the Active Directory. (Default 
is no.) 

--cluster-resource <virtual server_FDN_eDir_format> 


Joins or updates the current cluster resource to the Active Directory. The object will be created as 
the NETBIOS name of the cluster resource with 


+ samAccountName: «NetBIOS NAME»$ 
* service principal: host/<NetBIOS_NAME>.<domain_name>@<DOMAIN_NAME>. 
If used with --join or --reset, it also updates the keytab in 


* Each available volume associated with that resource in «mount path2/VOL NAME/ 
.. NETWARE/vol.keytab 


* The default keytab 
To find the virtual server FDN for the cluster resource in eDirectory format: 
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At the command prompt, execute the following commands. 
1. cluster resources to get the list of cluster resources. 


2. cat /var/opt/novell/ncs/<cluster_resource>.load, for example, cat /var/opt/ 
novell/ncs/NSSAD64_SERVER. load. 


#!/bin/bash 

. /opt/novell/ncs/lib/ncsfuncs 

exit_on_error nss /poolact=NSSAD64 

exit_on_error ncpcon mount BLR716993_VOL2=253 

exit_on_error add_secondary_ipaddress 192.168.100.10 

exit on error ncpcon bind --ncpservername-NSS64VM-NSSAD64-SERVER - - 
ipaddress-192.168.100.10 


exit on error novcifs --add '--vserverz",.cnzNSS64VM-NSSAD64- 
SERVER.o-novell.t-NSS64VM-TREE."' --ip-addr-192.168.100.10 
exit 0 


3. Identify the virtual server FDN for the cluster resource ".cn=NSS64VM-NSSAD64- 


SERVER.o-novell.tZNSS64VM-TREE." in the line exit on error novcifs --add '--vserver=". 


--pooldn «cluster pool FDN eDir Format» 
This can be used instead of cluster resourceFDN. 


Examples 


novell-ad-util --join --domain-name EXAMPLE.COM --service-principal cifs 


If your server name is oes2015 server.example.com, executing this command will create an 
account oes2015 server with 


+ samAccountName: oes2015 server$ 


* Service Principals: host/oes2015 server.example.com(QEXAMPLE. COM, cifs/ 
0es2015 server.example.com(QEXAMPLE. COM, and cifs/ 
o0es2015_server@EXAMPLE.COM 


Then it associates those principals with the computer account. 

It also updates the default keytab, /etc/krb5.keytab and /etc/krb5.conf files. 
novell-ad-util --join --cluster-resource .cn=CLUSTER-OES2015-POOL- 
SERVER.o=novell.t=-=NSSAD_CLUSTER. --domain-name EXAMPLE.COM --service-principal 
cifs 

If your cluster resource eDirectory object is .cn=CLUSTER-OES2015-POOL- 


SERVER.o=novell.t=NSSAD_CLUSTER. and it's NetBIOS name is cluster2015, executing this 
command will create an account cluster2015 (NetBIOS name) with, 


samAccountName: cluster2015$ 


Service Principals: host/cluster2015.example.com@EXAMPLE.COM, cifs/ 
cluster2015.example.com@EXAMPLE.COM, and cifs/cluster2015@EXAMPLE.COM. 


and associates those principals with the cluster account. 


If this cluster resource has volumes, VOL1 and VOL2 mounted on /media/nss, it updates the 
following: 


* The default keytab /etc/krb5.keytab 
* The keytab files in the volumes 
+ [media/nss/VOL1/. NETWARE/vol.keytab 
+ /media/nss/VOL2/. NETWARE/vol.keytab 
+ The kerberos configuration file /etc/krb5.conf 
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novell-ad-util --join --pooldn .cnZCLUSTER OES2015 POOL.o=novell.t=NSSAD_CLUSTER. -- 
domain-name EXAMPLE.COM --service-principal cifs 


Executing this command will join the cluster resources as explained in the previous example. 


novell-ad-util --leave-domain --domain-name EXAMPLE.COM 
Executing this command will disjoin the current host from the Active Directory domain. 


novell-ad-util --leave-domain --cluster-resource .cn=CLUSTER-OES2015-POOL- 
SERVER.o-znovell.t2NSSAD CLUSTER. --domain-name EXAMPLE.COM 


Executing this command will disjoin the cluster resource specified from the Active Directory 
domain. 


How do I remove stale entries of keytab for unjoined cluster resources on all cluster 
nodes in the cluster? 


When you disjoin a cluster resource from an Active Directory domain, novell-ad-util removes the 
keytab entries of that resource from the default keytab file, /etc/krb5.keytab, and deletes the 
volume keytab file. For example, /media/nss/voli/._NETWARE/vol. keytab on the node 
where the resource is running. 


Before disjoining the resource, if you have migrated it to other cluster nodes, all the cluster 
nodes where the resource is migrated will have the default keytab entires. 


When you disjoin the cluster resource, the default keytab entries for that specific cluster node 
and the volume keytab entries will be removed. However, the default keytab entries will still be 
seen on those nodes where the resource was migrated. 


To remove the stale entries, execute the following command respectively all nodes other than 
the node that you used for the resource disjoin: 


novell-ad-util --purge 0 --cluster-resource <cluster dn> --domain-name <domain 
name> 


This command removes the keytab entries of the cluster resource <cluster dn> specified; it will 
not remove the volume keytab file. 


novell-ad-util --validate-container --context CN=OES2015Servers --domain-name 
EXAMPLE.COM 


Validates the container OES2015Servers in the domain example.com. 
novell-ad-util --purge 2 


Removes keytab entires of the host from the default keytab file, retaining only the last two key 
versions. For example, if key versions 2,3,4,5 exist in the keytab file, executing this command 
will purge versions 2 and 3, and retain versions 4 and 5. 


novell-ad-util --purge 2 --cluster-resource .cn=CLUSTER-OES2015-POOL- 
SERVER.o=novell.t=NSSAD_CLUSTER. 


Removes keytab entires of the cluster resource specified from the default key tab file, retaining 
only the last two key versions. For example, if key versions 2,3,4,5 exist in the key tab file, 
executing this command will purge versions 2 and 3, and retain versions 4 and 5. 


novell-ad-util --purge 0 --cluster-resource .cn=CLUSTER-OES2015-POOL- 
SERVER.o-novell.tZNSSAD CLUSTER. 


Removes all the keytab entries of the cluster resource specified from the default key tab file. 


novell-ad-util --getrinfo --cluster-resource .cn=CLUSTER-OES2015-POOL- 
SERVER.o-novell.tZNSSAD CLUSTER. 


Fetches the NetBIOS name of the cluster resource and the domain name where the cluster 
resource should join. 
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novell-ad-util --join --domain-name EXAMPLE.COM --context cn=OES2015Servers --pre- 
created-object yes --service-principal cifs 


Joins this host to the Active Directory domain, provided the computer object for this host should 
already exist in Active Directory. The name of the pre-created object should be the same as the 
NetBIOS name of the server object. 


Files 


letc/krb5.conf 
Stores Kerberos configuration. 


letc/krb5.keytab 
Default keytab file that contains Service Principals of the OES server. 


lvarllog/novell-ad-util/novell-ad-util.log 
Stores the log information. 


Help Options 


--help 
Displays the help information commands and syntax, and then exits. 


NURM (OES User Rights Management) 


The OES User Rights Map (NURM) utility is used by administrators to map the Access Control List 
(ACL) of NSS resource that is owned by an identity in eDirectory to an identity in Active Directory. It 
maps the users and groups from eDirectory to Active Directory using a common name or any other 
field that is selectable by the tool. With this utility, the administrators can: 

* Create User Maps: Map eDirectory and Active Directory users and groups. 


* Leverage Existing IDM-based User Maps: Leverage NetlQ Identity Manager 4.5 or later maps 
that are created using IDM Designer (but not the IDM iManager plug-in). 


* Map User Rights: Assign rights to Active Directory users on NSS resources. 

* View Rights: View the rights of Active Directory and eDirectory users on a given volume. 

* Synchronizing Rights: Synchronize the rights of Active Directory and eDirectory users using 
the user-rights-map command line utility. 

+ Section 6.4.1, “Prerequisites,” on page 62 

+ Section 6.4.2, “Accessing OES User Rights Map Utility (NURM)," on page 62 

+ Section 6.4.3, "Mapping Users,” on page 63 

+ Section 6.4.4, “Mapping Rights,” on page 66 

¢ Section 6.4.5, “Viewing Rights,” on page 67 

+ Section 6.4.6, “NURM Command Line Utility,” on page 67 
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6.4.1 Prerequisites 


* Ensure that the universal password is enabled for the eDirectory user who is accessing NURM. 
This utility uses CIFS to fetch the volume information. Hence, when a user who is not universal- 
password-enabled accesses NURM, the volumes are not listed under the View Rights and Map 
Rights pages. For more information on enabling Universal Password Policy, see“CIFS and 
Universal Password” in the OES 2015 SP1: Novell CIFS for Linux Administration Guide. 


+ The eDirectory user managing NURM must have read and write access on the / admin/ 
Manage NSS/manage. cmd. 


* Ensure that CIFS user context is configured for the eDirectory user who is accessing NURM. For 
more information, see "Configuring a CIFS User Context” in the OES 2015 SP1: Novell CIFS for 
Linux Administration Guide. 


* |f you are to use NURM in an environment where eDirectory and Active Directory are 
synchronized using NetIQ IDM, ensure that DirXML -ADContext attribute is populated in 
eDirectory server. 


642 Accessing OES User Rights Map Utility (NURM) 


Along with the installation and configuration of NSS AD, the NURM utility gets installed. To access 
NURM: 
1 Open the OES server welcome page, then click Management Services » OES User Rights Map. 
OR 
Point your browser to https://<OES server IP address or the host name>/storm. 


2 Specify the user name or the FQDN of the eDirectory administrator in the User Name, specify the 
password, then click Login. 


The NURM welcome page should look similar to the following: 


@ OES user Rights Map O 
Rights Mapping Overview 
Map Users The following diagram depicts a sample workflow. 
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o e m 
n = = VOLT/MKTG à Susanne RWECMF | 
eDirectory ony = VOL1:/FINANCE i Thomas RWECMF 
S wVOLT/SALES 4 Albert RWECMF | 
= VOLTJMKTG à Susanne RWECMF I O *VOLT/MKTG _ : Acme/Susanne WECMF | 
= VOL1:/FINANCE 4 Thomas RWECMF | — NS =P |&VOLTJFINANCE :Acme/Thomas — RWECMF 
wVOLT/SALES  : Albert RWECMF S SEU SS *VOLT/SALES ^ : Acme/Albert RWECMF | 
I 4 Thomas «Thomas | 
Ò å Albert å Albert Ó Ó 
OES User Rights Map 
eDirectory tree Active Directory eDirectory tree Active Directory 
digitalairines acme.com digitalairlines acme.com 
= 0 Os ù 'Q- mm 
| RWECMF RWECMF ECM 
Na =: 
= = 
MKTG SALES FINANCE MKTG SALES FINANCE 
| ] L | 
Bg E E - 
a o g B 9 - 
VOL1 VOL1 
OES 2015 (NSS Volume) Windows Server OES 2015 (NSS Volume) Windows Server 


NURM is also available as a command line utility (user -rights-map). For more information on 
the CLI utility, see Section 6.4.6, “NURM Command Line Utility,” on page 67. 
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Mapping Users 


In an NSS AD environment, OES servers are joined to an Active Directory domain to provision AD 
users and groups native NSS resources access. To aid this, identities from Active directory will have 
to be mapped with identities on eDirectory and assigned the same rights as that of the eDirectory 
identities. NURM helps in creating this identity map, which is called a “user map”. User maps are 
used to assign rights to AD identities on the NSS resources. 


Using the Map Users feature, administrators can do the following: 


* Create new user maps: Map eDirectory and Active Directory (AD) users and groups. 
+ Import user maps 
* Export user maps 
* Refresh user maps 
* Delete user maps 
Before creating user maps, ensure that you are connected to an AD server. 


Connecting to an Active Directory Server 


To connect to the target AD server, click Connect to Active Directory, specify the following details, 
then click Connect. 


* User Name: Specify the AD Administrator user name or the FQDN. 
* Password: Specify the AD Administrator password. 
* Domain Name: Specify the realm of the AD domain. 


* Port: Specify the port with which you would like to connect to the AD server. If you would like this 
connection to be secure, select Use SSL. Some of the standard LDAP ports for Active Directory 
are 389, 636, 3268, and 3269. 


After you successfully establish the connection with the AD server, the 4 “25% ~ icon is 


displayed. The NURM screen should look similar to the following: 


OES User Rights Map 


Rights Mapping Map Users a £ Administrator ~ 
Map Users 


Map Rights New || Import || Export || Refresh || Delete 


View Rights 


User to User ROOT ROOT 


mapi User to User ROOT ROOT 


Disconnect 
To disconnect from the target AD server, click 4 Agminstrator + > 


NOTE: NURM supports multiple AD forests. Login to the respective forest before generating the user 
map. 


NSS AD Utilities and Tools 63 


64 


Creating a New User Map 


The user map could be created using any of the following methods: 
* Propose Map: Use this method to view, validate, and edit the generated user map before 
saving it on the server. 


* Save Map: Use this method when the number of records to be mapped are high and when you 
anticipate the user map generation to take more than five minutes. You can initiate the user map 
generation operation and continue using the application. The user map generation operation 
continues on the server side, and on completion, the generated user map is saved on the server 
and gets listed in the Map Users page. 

1 Click New, then specify the following details: 


* Match Type: Select an object mapping (user to user, group to group, or container to group). 
In the Target Matching Pattern, specify the wildcard-based search criteria. 


For example, if you want to match a group from the source identity store with a group on the 
target identity store that differs in naming conventions, you can use the Target Matching 
Pattern. 


For example, assume that you have the following groups on the source identity: eng- 
group-acme, sales-group-acmeUS, and so on; and technology-acme, sales-acmeUS, and 
so on in the target identity. In the Target Matching Pattern, specifying * -acme finds the 
match from eng-group-acme and technology-acme groups. 


* LDAP Attributes: Select Common Name to Common Name (CN to CN), Common Name to 
SAM-Account-Name (CN to SAM), or Custom Attributes matching criteria. 


If you choose custom attributes, you will have to specify the eDirectory and Active Directory 
object attributes. 


Examples of eDirectory object attributes include User Name (uid), Common Name (cn), 
Last Name (sn), and First Name (givenName). 


Examples of Active Directory object attributes include SAMAcountName, First Name 
(givenName), Last Name (sn), and email address (email). 


* eDirectory Context: Specify or browse and select the eDirectory tree search base context. 
If you would like to do a subtree search, select Search Subtree. 


* Active Directory Context: Specify or browse and select the AD server context. If you 
would like to do a subtree search, select Search Subtree. 


2 Click Propose Map to generate the user map. 
3 Validate the user mapping. If you need to modify any user mapping: 
3a Click ««, then specify or browse the AD server context. 
3b To replace or add an AD user in the proposed user map, select a row in the proposed user 
map, then from the search results, click o (add) found next to the search result. 


3c To remove a user from the proposed user map, click © (remove). To undo the deletion, 


click © (undo). 


TIP 


+ To modify an existing user mapping, click the user map name in the Map Users page, then 
follow the instructions in Step 3 on page 64. 
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¢ Pagination and Filtering: When the number of records to be displayed are huge, they are 
paginated, and each page holds up to 1000 records. The filter option works based on 
records in all the pages. 


¢ Sorting: Click any column title to sort the data either in ascending or descending order. 


If the number of records to be displayed are more than 1000, pagination is displayed at the bottom of 
the page for ease of navigation. Pagination includes the following: 

* Number of Pages: Displays the total number of pages. For example, Pages 4. 

* First: Displays the first page. 

* Last: Displays the last page. 

+ «: Displays the previous page. 

* »: Displays the next page. 

* Page Numbers: Clicking on these numbers, displays the respective page. 

* Go To Page: If you would like to navigate directly to a particular page, click the drop-down arrow, 


specify the page number, then click Go. 
Importing a User Map 


1 Click Import, then select the user map XML file using the Browse button. 
2 Specify an appropriate name for the user map, then click Import. 


Exporting a User Map 

Select the user map of your choice, click Export, then save it to a location of your choice on your 
computer. 

Refreshing a User Map 


If you feel that the mapping have changed since the time you have created a user map, you could 
refresh them using the same conditions that were used while creating them. 


To refresh an old user map, select the desired user map and then click Refresh. If there are any 
differences since the time there were created, those entries are highlighted with an information icon 
(undo). If you would like to revert changes, use the undo icon. After verifying the changes, click Save 
Map. 

Delete a User Map 


Select the user maps that you want to delete, then click Delete. 
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6.44 Mapping Rights 


Using this feature, you can map rights to AD users on a specific NSS volume. While doing so, you 
can choose to remove eDirectory trustees from the NSS file system and migrate the eDirectory IDs 
(owner, modifier, archiver, metadata modifier, and deletor) to AD users. 


To map rights: 


1 Select a volume on which you want to map rights to AD users. 
2 Select the source of user mapping: 


e OES User Rights Map On 
Rights Mapping Map Rights 

Map Users 
Map Rights New Map Rights Job 
View Rights 

Select Volume: 

PZCVOL1 ’ Apply To Salvage 
Remove eDirectory Trustees 
Select source of User Mappings Migrate IDs 
® NetlQ IDM 
User Map 


Selected User Maps Cancel | Apply 


+ NetIQ IDM: If you select this option, then directly go to Step 3 on page 66. 


NOTE: When IDM is used, the connection to eDirectory is established with secure SSL port 
636. For information on creating user map using IDM, see the NetIQ Identity Manager 4.5 
Documentation. 


* User Map: If you select this option, choose the appropriate user map name, then click 
Show >>. The user map is displayed along with the rights that will be assigned to the AD 
users. You can hide or display the user map and rights details using the Show »» and «« 
Hide buttons. 


3 Select the following options as needed: 
* Apply to Salvage: Applies rights to AD users on the salvaged files and folders. 


* Remove eDirectory Trustees: After assigning AD users as trustees, the eDirectory users 
will be removed from the NSS file system as trustees. 


* Migrate IDs: Assign eDirectory trustee IDs (owner, modifier, archiver, metadata modifier, 
and deletor) to AD users. 


4 Click Apply. 


To delete the mapped rights, select the Map Rights, then click Delete. 
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@ OES User Rights Map Or 
Rights Mapping Map Rights 


Map Users 

Map Rights New || Delete 
View Rights i mE WE "s eae 
VOL1 map-12 View REL 


VOL1 map 


n N 


NOTE: After deletion, you can no longer synchronize rights on the volume using the deleted map 
rights. 


To view the log information of the mapped rights, click View link under the Log column. 


Viewing Rights 


Using this feature, an administrator can view the explicit rights of both eDirectory and Active Directory 
users on the selected volume. When you select the volume name, the explicit rights are displayed 
along with the path, trustee, and rights information. This is the only tool that allows the administrators 
to view the rights of both AD and eDirectory users in a consolidated view. 


Beginning with OES 2015 SP1, a Refresh button is added next to volume name drop-down box, 
which allows users to view the rights information dynamically. 


NURM Command Line Utility 


* "map-users" on page 67 


* "user-rights-map" on page 69 


map-users 


Use this utility to generate a user map after specifying the necessary match type, context and so on. 


Syntax 
map-users 


map-users -u «specify the user map name» -a «eDirectory Username» -w «eDirectory 
password» -s «eDirectory Server IP» -p «eDirectory Connection Port» -l -c 
«eDirectory context» -st -t «specify the match type as user2user, group2group, or 
container2group» -m «specify the matching attribute as cn2sam» -A «AD username» -W 
«AD user password» -S «specify the AD server IP» -P «specify the AD server 
connection port» -L -C «specify the Active Directory context» -ST 


Options 


-u, --usermap-file «user map file name> 


Specify the name of the user map. After a successful execution of the map-users command the 
user map file is saved with the name that you specify here. 
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-a, --user <eDirectory username> 
Specify the eDirectory username to connect to NURM. 


-w, --password <eDirectory user password> 
Specify the eDirectory user password. 


-S, -server-ip <eDirectory server IP» 
Specify the name IP of the eDirectory server. 


-p, --port <eDirectory server connection port> 
Specify the port number to be used to connect to the eDirectory server. 


-c, --context «specify the eDirectory server context» 
Specify the eDirectory server context. For example, ou=users,o=novell. 


-st --subtree-search 
Use this option if you would like to consider all the users in the subtree. 


-t, --match-type <specify the match type> 
Specify the user match type. For example, user2user, group2group, or container2group. 


-m, --matching-attribute <attributes> 
Specify the match attributes. For example, cn2sam. As of now only cn2sam is supported. 


-A, --USER <specify the AD user name> 
Specify username of the AD user. 


-W, --PASSWORD <AD user password> 
Specify the AD user password. 


-S, --SERVER-IP <specify the AD server IP> 
Specify the IP address of the AD server that you would like to connect to. 


-P, --PORT <specify the AD server connection port> 
Specify connection port with which you would like to connect to the AD server. 


-L, --USE-SSL-AD 
Use this option if you would like a secure connection to the AD server. 


-C, --CONTEXT <specify the AD server context> 
Specify AD server context. 


-ST, --SUBTREE-SEARCH 
Use this option if you would like to consider all the users in the subtree. 


-h, --help 
Displays the usage information of the command. 
Examples 


1. For an interactive user map generation, use the following command and follow the on screen 
instructions: 


map-users 
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2. To map users by providing all the arguments: 


map-users -u mkt-usr-map -a root -w pa55word -s 192.168.1.1 -p 636 -1 -c 
ou=users,o=mkt -st -t user2user -m cn2sam -A Administrator -W Pa55word@@ -S 
192.168.1.2 -P 636 -L -C cn=users,dc=acme,dc=com -ST 


This command creates a user map with the following details: 
* Saves the user map as “mkt-usr-map” 


* Connects to the eDirectory server (192.168.1.1) with root credentials, context as 
ou=users,o=mkt, match type as user to user, matching attributes as CN to SAM, and 
searches the entire subtree while generating the user map. The connection type used is 
SSL using port 636. 


* Connects to the AD server (192.168.1.2) using the administrative credentials, context as 
cn=users,dc=acme,dc=com, and searches the entire subtree while generating the user 
map. The connection type used is SSL using port 636. 


user-rights-map 


Use this utility to map the rights of the mapped eDirectory and Active Directory users, groups, and 
containers. The mapped rights information is stored in a file and assigned an ID. Using this id, you 
can synchronize the rights of the users. 


Syntax 
user-rights-map -1 
user-rights-map -L 


user-rights-map -v «volume name» [[-u «User Map name 1 or the User Map 1 XML file 
path»,«User Map name 2 or the User Map 2 XML file path»,...,«User Map name n or the 
User Map n XML file path» |-i «-U username -P password»]][-a -m -r] 


user-rights-map -S -M «map rights id» [-O «ad | edir>] 


Options 
-l, --list-map-rights 

Lists the id, name of the user map, and the volume for which the rights are mapped. 
-L, --list-usermaps 


Lists the name of the user map, object mapping type (user to user, group to group, or container 
to group), eDirectory tree context, and Active Directory server context. 


-v, --volume «VOLUME NAME» 


Specify the NSS volume on which rights will be provisioned for the mapped users. The volume 
name should always be specified in upper case. 


-u, --usermap «user map name or path of the user map xml file» 


Specify the name of the user map or the path of the user map (.xm1) file that contains the 
mapping details of the eDirectory and Active Directory users, groups, or containers. If any of the 
user map names contain special characters, ensure to enclose all the user map names within 
double quotes. 
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NOTE: If you need to perform a sync, you must pass the name of the user map as an input 
parameter. Whereas, if the sync operation is performed using the user map (.xm1) file, it cannot 
be synced later. 


-i, --use-IDM <-U username -P password> 


Specify the eDirectory admin credentials (in LDAP format) to authenticate to eDirectory. The user 
map created using IDM is used for mapping the rights. 


-a, --apply-to-salvage 
Performs rights mapping on files and folders in the salvage system. 
-m, --migrate-ids 


Migrates the IDs [owner, archiver, metadata modifier, deletor] of files and folders to the mapped 
Active Directory users. This operation might take a while to complete. 


-r, --remove-old-trustee 


Removes the eDirectory user as a trustee on the files and folders after successfully mapping the 
user rights. Removes the Active Directory or eDirectory user as a trustee on the files and folders 
when used with -S and -O options. This operation is irreversible. 


-S, --sync 


Synchronizes the rights for both the eDirectory and Active Directory trustees. By default, it 
merges the rights of both the eDirectory and Active Directory trustees. To overwrite trustee 
rights, use the -O option. It is mandatory to use the sync option with the -M option. 


NOTE: The sync operation only synchronizes rights (applicable to salvage option). When 
creating the user map, if the options migrate-ids or remove-old-trustee are passed, they are 
ignored. 


-M, --map-rights-id <arg> 
Specify the id of the map rights operation. This option is used only with the sync option. 
-O, --overwrite-with <ad | edir> 


You must either pass ad or edir as an input parameter. When the ad parameter is passed, the 
rights of the eDirectory trustees are overwritten with the rights of the Active Directory trustees. 
When the edir is passed, the rights of the Active Directory trustees are overwritten with the 
rights of the eDirectory trustees. This option is used only with the sync option. 


-h, --help 


Displays the usage information of the command. 


NOTE: The user rights map log information is located at /var/opt/novell/log/nurm/user - 
rights-map.log. 


Examples 


1. Provision the rights on all files and folders of the volume MKTVOL, including the ones in the 
salvage system. 


user-rights-map -v MKTVOL -u /root/temp/UserMap.xml -a -m -r 


After successful execution of the user-rights-map operation, all the files and folders are 
provisioned with rights, all the ids are migrated, and the eDirectory user is removed as a trustee. 
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NOTE: If any of the user map names contain special characters, ensure to enclose all the user 
map names within double quotes. For example, user-rights-map -v MKTVOL -u "/root/ 
temp/UserMap.xml, usermap#2 -a -m -r. 


2. To list the user maps: 
user-rights-map -Lor 
user-rights-map --list-usermaps 
3. To list the user rights map ids: 
user-rights-map -lor 
user-rights-map --list-map-rights 


4. To sync rights between Active Directory and eDirectory trustees. The rights of the eDirectory 
user1 are RWF and the rights of Active Directory user1 are FMA on file1: 


user-rights-map -S -M 2 
The value “2” in the command represents the map rights job id created in example 1. 


After successful execution of the command, the rights of eDirectory and Active Directory trustees 
are merged. The rights of eDirectory user1 are RWFMA and the rights of Active Directory user1 
are RWFMA on file1. 


5. After the sync, the rights of the eDirectory trustees are overwritten with the rights of Active 
Directory trustees. The rights of the eDirectory user2 are RWF and the rights of Active Directory 
user2 are FMA on file2: 


user-rights-map -S -M 1 -O ad 
The value “1” in the command represents the map rights job id created in example 1. 


After successful execution of the command, the rights of eDirectory user2 are FMA and the 
rights of Active Directory user2 are FMA on file2. 


6. To synchronize rights between eDirectory and AD trustees (two way sync): 
user-rights-map -S -M 2 -O edir -m -r 


Synchronizes the rights of eDirectory trustees with AD trustees using the map rights job id “2”. 
During the sync process, it overwrites the Active Directory trustees with eDirectory trustees, 
migrates all the IDs, and the eDirectory trustee information is removed from the source after the 
sync process. 


user-rights-map -S -M 2 -O ad -m 


Synchronizes the rights of AD trustees with eDirectory trustees using the map rights job id “2”. 
During the sync process, it overwrites the eDirectory trustees with AD trustees, migrates all the 
IDs, and the AD trustee information is removed from the source after the sync process. 


NFARM (OES File Access Rights Management) 


OES File Access Rights Management (NFARM) is a Windows-based shell extension that enables 
Windows Active Directory administrators to manage the rights of AD users or groups on Novell 
Storage Services (NSS) resources. 


NFARM helps AD administrators or users with sufficient rights to mange the following: 


* Trustees explicit rights, inherited rights filter, and view effective rights. You can also view trustees 
with rights from the selected path and child or parent directories. 
* Owners, NSS attributes and directory quota 


* User quotas 
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+ All paths that a user is a trustee of 
+ Salvage and Purge (also supports eDirectory users) 


NOTE 


* User Quota and Files System Rights operations are restricted to AD domain administrators, and 
to use these features one should have logged in to the Windows workstation using the AD 
domain administrative credentials. 


* To view or modify User Quota and File System Rights for an AD user from the trusted domain or 
forest, ensure that the user belongs to AD supervisor group of the domain where OES server is 
joined. 


The term object referred to in this section, indicates a path, folder, or volume. 
After performing any operation in NFARM, you can click the following: 


* Apply to save changes to the NSS file system and remain in the same window. 
+ OK to save changes to the NSS file system and exit. 
* Cancel to discard changes and exit. 


All these operations are performed on a Windows mapped network drive that is mapped to an NSS 
volume, NSS Folder, or CIFS Share in the Windows client. These shares must be compatible with 
OES 2015 or later servers that have NSS AD set up and configured. 

+ Section 6.5.1, “NFARM Support Matrix," on page 72 

* Section 6.5.2, "Prerequisites for Installing NFARM," on page 72 

+ Section 6.5.3, "Installing and Accessing NFARM,” on page 73 

+ Section 6.5.4, "Managing the Trustee Rights in the NSS File System," on page 73 

+ Section 6.5.5, "Information," on page 76 

+ Section 6.5.6, “User Quota,” on page 76 

+ Section 6.5.7, “File System Rights," on page 77 

+ Section 6.5.8, "Salvage and Purge,” on page 77 


65.1 NFARM Support Matrix 


This section lists the requirements for installing and running NFARM: 


* Operating Systems (32 or 64-bit): NFARM can be installed on Windows 10, Windows 8.1, 
Windows 8, Windows 7 SP1, Windows 7, Windows 2012 R2, Windows 2012, Windows 2008 R2, 
and Windows 2008. 


* OES: NFARM is supported beginning with OES 2015. 


* Active Directory: Active Directories installed and configured on Windows 2008, Windows 2008 
R2, Windows 2012 and Windows 2012 R2. 


65.2 Prerequisites for Installing NFARM 


* Ensure that you have installed and configured NSS AD following the instruction at Chapter 3, 
"Installing and Configuring NSS AD Support," on page 19. 


72 NSS AD Utilities and Tools 


6.5.3 


6.5.4 


* Ensure that the Windows mapped network drive NSS volumes and CIFS shares are accessible. 
All NFARM operations are performed on a Windows mapped network drive NSS volume or CIFS 
share that is compatible with OES 2015 or later servers that have NSS AD set up and 
configured. For more information on mapping a CIFS share, see “Accessing Files from a 
Windows Client” in the OES 2015 SP1: Novell CIFS for Linux Administration Guide. 


* Based on your Windows operating system, download and install the correct version of NFARM 
(64-bit or 32-bit) from the OES Welcome page (https://<OES server IP or the host name>/ 
welcome/client-software.html). 


* 


Ensure that your Windows operating system has been configured to authenticate using Active 
Directory. 


+ The maximum memory units that can be specified for the directory and user quotas in NFARM 
are as follows: 


+ KB: 9007199254740991 
* MB: 8796093022207 

* GB: 8589934591 

* TB: 8388607 

+ PB: 8191 


Installing and Accessing NFARM 


Based on your Windows operating system, download the matching version of NFARM (64-bit or 32- 
bit) from the OES Welcome page (http://<OES server IP Address or the host name>/welcome/client- 
software.html), and install it. 


After installing NFARM, map an NSS volume or CIFS share, right-click > properties on the mapped 
share, and you get access to NFARM tabs. 


Managing the Trustee Rights in the NSS File System 


Using the Trustees tab, you can do the following: 
* View, add, edit, and remove explicit trustees and their rights on a selected path, which can be the 
root of a volume, a folder in the volume, a file or CIFS share. 
* View and edit the Inherited Rights Filter (IRF) for the selected path. 


* View the effective rights trustees on the selected path, and manage the rights inheritance on the 
selected path. 


Managing the Explicit Rights of Trustees 


Explicit rights are the rights defined for the trustee (user or group) on an object. This section explains 
the procedure to add or remove trustees on an object in addition to managing their explicit rights on 
the selected object. The trustee names displayed here are always preceded by the AD domain name 
along with the following eight NSS rights: 


* Supervisor: Grants all rights to the directory or file and any subordinate items. The Supervisor 
right can't be blocked by an Inherited Rights Filter. Users with this right can grant or deny other 
users rights to the directory or file. 


* Read: For a directory, grants the right to open files in the directory and read the contents or run 
the programs. For a file, grants the right to open and read the file. 
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¢ Write: For a directory, grants the right to open and change the contents of files in the directory. 
For a file, grants the right to open and write to the file. 


* Erase: Grants the right to delete the directory or file. 


* Create: For a directory, grants the right to create new files and directories in the directory. For a 
file, grants the right to create a file and to salvage a file after it has been deleted. 


* Modify: Grants the right to change the attributes or name of the directory or file, but does not 
grant the right to change its contents (changing the contents requires the Write right). 


* File Scan: Grants the right to view directory and file names in the file system structure, including 
the directory structure from that file to the root directory. 


* Access Control: Grants the right to add and remove trustees for directories and files and modify 
their trustee assignments and Inherited Rights Filters. 


NOTE: These NSS rights are not related to the Microsoft Windows rights in any way. 


* To edit or remove rights for the displayed trustees, select or clear the respective rights check 
boxes. Multiple trustee edit is possible. 


* To add trustees on a selected path, click Add..., search and select the AD users or groups, then 
select the rights. If you are entering multiple trustee names in the Enter the object names to 
select (examples) text box, separate each trustee with a semicolon. 


* To remove trustees, select the trustees that you want to remove, then click Remove. 


TIP: To delete multiple trustees, press and hold the Ctrl key while selecting multiple trustees. 


After managing the explicit rights, ensure that you click Apply in order for your changes take 
effect in the NSS file system. 


Managing Inherited Rights Filter (IRF) 


Subdirectories and files can inherit rights from their parent directory. The directory's rights flow down 
through its structure to subdirectories and files, except for specific subdirectories or files with their 
own trustee assignments that supersede inherited rights. When granting a trustee assignment to a 
subdirectory or file, the trustee assignment takes precedence over the inherited rights of its parent 
directory. 


The Inherited Rights Filter section displays the list of rights that are inherited from the parent object. 
To block inheritance of rights from the parent object to the selected object (file or directory), clear the 
respective NSS rights, then click Apply for the changes to take effect in the NSS file system. 


The supervisor rights cannot be blocked. 


Viewing the Effective Rights 


A user's explicit rights on a directory are combined with the filtered rights inherited from its parent 
directory. Any rights through security equivalence are also applied. 


A user's explicit rights on a file override any rights that can be inherited from its parent directory. In 
this case, the user has only the rights granted, and the inherited rights are ignored. If the user is a 
member of another group or role that also has explicit rights to the file, the user's effective rights on 
the file are a combination of the rights granted for the user and the rights granted for the group or role. 
If the rights of the group or role are more restrictive than the user's explicit rights, it has no effect on 
rights granted to the user. 
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An object’s effective rights to a subdirectory are the set of distinct rights from the following: 
* Rights inherited for the user from the parent directory, with consideration of the inherited rights 
filter set for the subdirectory. 
* Rights set explicitly for the user on the directory. 
* Rights set explicitly for a security-equivalent object on the directory: 
* Explicit by assignment (Security Equal To property) 
* Automatic by membership in a group or role 
* Implied by its parent container and by the [Public] container 
More restrictive security-equivalent rights do not override rights granted for the trustee on the 
directory or for the trustee's filtered inherited rights. 
An object's effective rights to a file are determined by the following: 


* Rights inherited for the user from the parent directory, with consideration of the inherited rights 
filter set for the file. 


If the user has rights set on the parent directory or is security equivalent to an object with explicit 
rights set there, those are the rights that flow down to the file for the user and are subject to the 
IRF. 


Inherited rights for a file are ignored if rights are set explicitly for the object or for a security 
equivalent of the object. This behavior is different than for a directory. 
* Rights set explicitly for the user on the file. 


Inherited rights are ignored. Explicit trustee rights for a security equivalent object are added. 
More restrictive security-equivalent rights do not override rights set for the trustee on the file. 


* Rights set explicitly for a security-equivalent object on the file: 
* Explicit by assignment (Security Equal To property) 
* Automatic by membership in a group or role 
* Implied by its parent container and by the [Public] container 
Inherited rights are ignored. Explicit trustee rights are added. 


For more information, see “How Effective Rights Are Calculated” in the NetIQ eDirectory 8.8 SP8 
Administration Guide. 


To launch the Effective Rights screen, from the Trustees tab, click Advanced... 


By default, for the selected object, the list of trustees along with their rights is displayed. To view the 
effective rights of some other trustee, click Select, then search or enter the trustee name. You must 
have adequate rights to view the effective rights of other trustees. 


Managing Trustees for Directories 


Using the Inherited Rights tab, you can get the explicit rights of the trustees from the selected path to 
the root of the volume and trustees from the selected path to the child directories in the volume. 


To launch the Inherited Rights screen, from the Trustees tab, click Advanced... > Inherited Rights. 
For example, assume that you have the following directory structure: 


+ \vol1\media\audio 
+ \vol1\org\country\us\ny\emp 
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+ \vol1\org\country\us\sic\emp 
+ \vol1\org\country\uk\In\emp 
+ \vol1\org\country\uk\Ipl\emp 


If you click Parent Directories from the “country” folder, it will list the explicit list of trustees and their 
rights in the country, org and vol1. It does not consider the media and its sub directories. 


If you click Sub Directories from the countries folder, it lists the explicit rights of all the trustees in the 
following directories: 
+ \vol1\org\country\us\ 
+ \vol1\org\country\us\ny 
+ \voli\org\country\us\sic 
+ \vol1\org\country\us\ny\emp 
+ \vol1\org\country\us\sic\emp 
+ \vol1\org\country\uk 
+ \vol1\org\country\uk\In 
+ \vol1\org\country\uk\Ipl 
+ \vol1\org\country\uk\In\emp 
+ \vol1\org\country\uk\Ipl\emp 


From this tab, you can also modify the explicit rights of the trustees by clearing or selecting the NSS 
rights check boxes. You can also remove trustees by using the Remove button. 


Information 


Using the Information tab, you can view and modify: 


+ The owner of a file 
+ NSS attributes 
* Directory quotas 


1. To change the owner of a file, click Change, then search for and select the new owner. 


2. To set the NSS attributes for the selected path, select or clear the respective attributes. These 
attributes vary based on the object chosen (file or directory). 


3. To change the directory quota of a selected path, click Edit, then specify the quota limit and the 
memory unit (KB, MB, GB, TB, PB). After setting the quota, you will be able to view the quota 
limit set, the used quota and the available quota. 


4. Click Apply for the changes to take effect in the NSS file system. 


User Quota 


Using the User Quota tab, you can add, edit, or remove the user quota limit for a single or multiple 
users concurrently. For every user, it lists the quota limit, used, and remaining. To set the user quota, 
you should either be an AD domain administrator or a user who has administrative privileges. You 
should also be logged in to the Windows workstation using the AD domain administrative credentials. 


1. Toassign quotas for a single or multiple users, click Add..., search and select users, then specify 
the quota limit. 
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2. To edit the quota limit, select users, click Edit..., then modify the quota limit. Press and hold the 
Ctrl key while selecting multiple users. 


3. To remove the quota set for users, select the users, then click Remove. 


NOTE: The user quota is always set at the volume level, regardless of the folder or share from where 
you have invoked the User Quota. 


File System Rights 


Using the File System Rights tab, you can do the following: 


* View all the objects that a user is a trustee of 

* Modify the explicit rights that the trustee has on an object 
* Add or remove the objects 

* View the rights of all groups to which the user is a member 


NOTE: To view or modify the File System Rights, you should either be an AD domain administrator or 
a user who has administrative privileges. Further, you should have logged in to the Windows 
workstation using the AD administrative credentials. 


1. To view the explicit rights of a trustee across objects at the volume level, click Select, then 
search and select a user or group. 


2. To modify the explicit rights that the trustee has on an object, select or clear the respective NSS 
rights check boxes next to the object name. 


3. To add an object and to assign rights to the trustee, click Add..., then select the path. 


4. To remove an object on which the trustee has rights, select the object, then click Remove. Press 
and hold the Ctrl key while selecting multiple objects. 


5. To view rights of all the groups to which the trustee belongs, click Group Rights. Group Rights is 
disabled if a group is selected. 


Salvage and Purge 


The Salvage and Purge utility for Windows lets you recover or delete the files and directories 
permanently from the NSS file system. The files that have been purged cannot be recovered. This 
tool gets automatically installed when you install NFARM. 


Salvaging Files 


The Salvage utility for Windows lets you recover the deleted files and directories from the NSS file 
system. 


To salvage: 


1 Right-click a Windows mapped network drive or folder, then click Salvage or Properties > 
Salvage. 
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Open 

Open in new window 
a Salvage... 
X Purge.. 


Restore previous versions 


Pin to Start 
Disconnect 
Copy 


Create shortcut 


Rename 


* |f you have logged in as AD user, the following tabs are displayed: 


General Previous Versions Trustee Rights Information 
User Quota | File System Rights | Salvage | Purge 


Path — YA © 


File Name Deletor Name Date Deleted 


; r 1 
@ |More Information Salvage Salvage All 
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* |f you have logged in as eDirectory user, the following tabs are displayed: 


r 


3e VOL2 (Z:) Properties 


| General | Previous Versions | Salvage | Purge | Customize 


Path — Z^ © 
File Name Deletor Name Date Deleted 
« " + 
o More Information Salvage l Salvage All 


(cana 


2 Select the salvageable files, then click Salvage. The selected files are salvaged. To salvage all 
files, click Salvage All. 


TIP 


* 


* 


To select all files: Select the first file, then press CTRL+SHIFT+END. 

To select multiple files: Press and hold the CTRL key, then click the files of your choice. 
To select a series of files: Press and hold the SHIFT key, then click the first file and the 
last files. 

To refresh: Click © (refresh) to display the latest list of salvageable files and folders. 
To sort: Click the column heading to sort the files and folders. The * icon indicates 
descending order and the ^ icon indicates ascending order. 


3 While salvaging, if a file already exists with the same name, you are prompted to rename it. 


4 To see the attributes of the selected files, click More Information. The attributes include: File 
name, Deletor Name, Date Deleted, Creator Name, Date Created, Modifier Name, Date 
Modified, Archiver Name, Date Archived, Date Accessed and File Size. 


The More Information dialog box also includes Salvage and Salvage All. Follow the same 
procedure provided in Step 2 on page 79 to perform the salvage operation. 
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Purging Files 


The purge utility for Windows lets you delete files and folders permanently from the NSS file system. 
Purging is an irreversible action. The files that have been purged cannot be recovered. 


To purge: 


1 Right-click a Windows mapped network drive or folder, then click Purge or Properties > Purge. 


Open 
Open in new window 
^in Salvage... 
Restore previous versions 
Pin to Start 
Disconnect 
Copy 


Create shortcut 


Rename 


* |f you have logged in as AD user, the following tabs are displayed: 


Salvage Purge Customize 


General | Previous Versions Trustee Rights | Information 
User Quota | File System Rights 


Path — YA © 


File Name Deletor Name Date Deleted 


o9 More Information Purge Purge All 
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* |f you have logged in as eDirectory user, the following tabs are displayed: 


: 
og VOL2 Z) Properties (em 


| General | Previous Versions. | Salvage | Purge | Customize | 
Path — Z^ © 


File Name Deletor Name Date Deleted 


X M b 


e More Information Purge | Purge All 


2 Select the files to be purged, then click Purge. The selected files are purged. To purge all files, 
click Purge All. 


TIP 
* To select all files: Select the first file, then press CTRL+SHIFT+END. 
* To select multiple files: Press and hold the CTRL key, then click the files of your choice. 


* To select a series of files: Press and hold the SHIFT key, then click the first file and the 
last files. 


* To refresh: Click © (refresh) to display the latest list of purgeable files and folders. 
+ To sort: Click the column heading to sort the files and folders. The * icon indicates 
descending order and the ^ icon indicates ascending order. 


3 To see the attributes of the selected files, click More Information. The attributes include: File 
name, Deletor Name, Date Deleted, Creator Name, Date Created, Modifier Name, Date 
Modified, Archiver Name, Date Archived, Date Accessed and File Size. 


The More Information dialog box also includes Purge and Purge All. Follow the same procedure 
provided in Step 2 on page 81 to perform the purge operation. 
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6.6.1 


6.6.2 


6.6.3 


FTP (Pure-FTPd) and OES 2015 SP1 for AD Users 


FTP file services on OES 2015 SP1 servers are provided by Pure-FTPd, a free (BSD), secure, 
production-quality and standard-conformant FTP server. The OES implementation includes support 
for FTP gateway functionality as on OES and offers a level of integration between AD and Pure-FTP 
that allows users to authenticate to AD for FTP access to the server. 


This section discusses the following topics: 


* Section 6.6.1, “Planning for Pure-FTPd,” on page 82 

+ Section 6.6.2, “Installing Pure-FTPd,” on page 82 

+ Section 6.6.3, “Home Directory Support in Pure-FTPd,” on page 82 

* Section 6.6.4, "Prerequisites," on page 83 

+ Section 6.6.5, "Configuring Pure-FTPd on an OES 2015 SP1 Server,” on page 83 


+ Section 6.6.6, “Administering and Managing Pure-FTPd on an OES 2015 SP1 Server,” on 
page 84 


+ Section 6.6.7, "Limitations," on page 87 


Planning for Pure-FTPd 


Before installing Pure-FTPd, ensure that users requiring FTP access have access rights to the areas 
on the server they need to use. 


Installing Pure-FTPd 


To install Pure-FTPd, select the Novell FTP pattern in the OES 2015 SP1 installation. 


Home Directory Support in Pure-FTPd 


The FTP server supports a home directory for users on local and remote CIFS servers. The remote 
server should be an OES server. When the home directory is set for the user in AD, the user is placed 
in the home directory on successful login to the OES server. 


Pure-FTPd supports three levels of home directory, default home directory, a user specific home 
directory on the local system, and a user specific home directory identified by the value set in AD. 


DefaultHomeDirectory or AD home directories can be disabled. If both of them are enabled, the 
following is used to establish the precedence: 

* User specific home directory set in AD 

* Default home directory 


User Specific Home Directory in AD 


An administrator can set the home directory for AD users as part of the User object in AD. On 
successful login to the FTP server, the user is placed in the home directory set in the user object. The 
User's home directory can exist either on the OES server that is hosting the FTP service or on any 
other OES server in the same tree. 


A new EnableRemoteHomeDirectory option is now available to support this home directory. By 
default, this option is set to NO and the home directory set for the user in AD is ignored. 
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To enable AD based home directory support, you must set both EnableRemoteHomeDirectory and 
remote_server to YES. FTP will then read the user’s home directory from AD and mount it locally. 


Default Home Directory 


DefaultHomeDirectory indicates the path to the common home directory for all FTP users. On 
successful login to the Pure-FTPd, users are placed in the default home directory. The default home 
directory can be a locally mounted NSS path or on a remote CIFS share. The NSS volume can be 
configured by using the DefaultHomeDirectory and DefaultHomeDirectoryServer settings. If the 
home directory is on a remote server, use DefaultHomeDirectoryServer, and set the DNS name of 
the remote CIFS server. As with any NSS volume, the FTP client should have required rights over the 
NSS volume whether DefaultHomebDirectory is on a local or remote server or not. 


The DefaultHomeDirectoryServer option is now available to differentiate whether 
DefaultHomeDirectory is on a local or remote server. By default, this option is set to NO so 
DefaultHomeDirectory points to a local path. 


To set DefaultHomeDirectory to point to a remote CIFS server with a DNS entry, you must specify 
the full path to the remote server, including the share name. For example, DefaultHomeDirectory / 
sharename. You must also set both DefaultHomeDirectory and remote server to YES. 


NOTE: The following are not supported for AD users: 


* POSIX home directory 
* Trusted GID feature 


Backslash in Input Paths 
Support for backslashes in input path is provided. Using FTP client on Windows, you can use 


backslash as separator in the path. allow backslash in path option is now available to allow back 
slash in the path. By default the option is set to NO. 


Prerequisites 


Ensure that the FTP server can resolve the DNS name of the remote OES server. 


Configuring Pure-FTPd on an OES 2015 SP1 Server 


To configure the Pure-FTPd server on OES 2015 SP1, edit the /etc/pure-ftpd/pure-ftpd.conf 
file. 


NOTE: It is very strongly recommended that you read through the entire /etc/pure-ftpd/pure- 
ftpd.conf file and be familiar with the available parameters and settings. 


For complete details, refer the pure-ftpd man page. 
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6.6.6 


Administering and Managing Pure-FTPd on an OES 2015 
SP1 Server 


¢ “Starting Pure-FTPd” on page 84 

¢ “Initializing Multiple Instances” on page 84 

* “Unloading Specific Instances” on page 85 

+ "Pure-FTPd Remote Server Navigation" on page 85 


Starting Pure-FTPd 


Start the Pure-FTPd server using the rcpure-ftpd command. 


Initializing Multiple Instances 


Pure-FTPd is loaded by using a configuration file. Multiple instances of Pure-FTPd can be loaded 


using different configuration files. 


By default, an instance of Pure-FTPd using /etc/pure-ftpd/pure-ftpd.conf file is loaded at the 
boot time by init.d script. For loading multiple instances, new configuration files need to be created. 


To load a new instance of Pure-FTPd: 


1 Create a new configuration file for each instance. 


For example: Copy /etc/pure-ftpd/pure-ftpd.conf to /etc/opt/novell/pure- 
ftpdi.conf. 


2 Modify the following settings in the configuration file to avoid IP address or port conflicts between 


the instances: 


* PIDFile: Points to the full path of the PID file created by the pure-ftpd instance. PID file is 
used for unloading a particular instance of pure-ftpd. Hence, ensure that the PID File path is 


unique for every instance. 


For example: /var/run/pure-ftp1.pid, /var/run/pure-ftp2. pid. 


* Bind: By default, pure-ftpd binds to all the IP addresses on the system and listens to 


requests over port 21. Modify the settings of the bind such that all the pure-ftpd instances 
bind to different IP addresses or port combinations. 


also, modify the settings in the /etc/pure-ftpd/pure-ftpd.conf to avoid any IP address 
or port conflict from the second instance. 


For example: If a system has two interfaces with two IP addresses 10.1.1.1 and 10.1.1.2, 


then the bind setting for two pure-ftpd instances can be Bind 10.1.1.1,21 and Bind 
10.1.1.2,21. 


3 Load the new instance using /usr/sbin/pure-config.pl «Full path of the config file» 


For example: /usr/sbin/pure-config.pl /etc/opt/novell/pureftpd-confs/pure- 


ftpd1.conf loads an instance using the config file /etc/opt/novell/pureftpd-confs/pure- 


ftpd1.conf. 


Verifying the Load of a New Instance 


Use the following methods to verify that the new instance of pure-ftpd is successfully loaded: 


* The ps -eaf | grep pure-ftpd command lists all the instances of pure-ftpd loaded on the 


system. 
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* The PID file as specified using the PIDFile entry in the configuration file has been created. 


+ An FTP connection from the client to the server over the IP address being used by the pure-ftpd 
instance can be created. 


Unloading Specific Instances 


A new script, pure-ftp-stop.pl, is added to unload an instance of pure-ftpd and all its child 
processes. The full path of the configuration file used to load the instance of pure-ftpd must be 
passed to the pure-ftp-stop.pl script. 


For example: /usr/sbin/pure-ftpd-stop.pl /etc/opt/novell/pureftpd-confs/pure- 
ftpd1.conf unloads the instance of pure-ftpd that was loaded using /etc/opt/novell/pureftpd- 
confs/pure-ftp1.conf. 


The PID file of the pure-ftpd instance is also used for unloading the pure-ftpd instance. 


Verifying the Unload of a New Instance 


* The PID file specified using the PIDFile entry in the configuration file has been deleted. 
* The number of instances displayed by ps -eaf | grep pure-ftpd is reduced. 
+ An FTP connection request to the server errors out. 


Pure-FTPd Remote Server Navigation 


After logging in to the AD tree, users can access files and directories on a remote Linux server 
whether or not the server is running Linux FTP Server software. The remote server can be another 
Linux OES server. 


This section describes how to configure and use the Remote Server Navigation feature. 


+ “Configuring Novell FTP” on page 86 


Active 
Directory 


| Fetch AD user details 


* “Path Formats” on page 86 


SMB client interface 


for AD users 
sq «CCC IFS Server 


eDirectory / AD users 
d * : = —— FTP Server ——— | 


NCP Server 


Non-NSS 
File System 


NCP client interface 


FTP Client for eDirectory users 


Local File NSS File 
System System 


OES 2015 SP1 or later server running 
the FTP service Remote OES servers 


Remote OES servers 


eDirectory users | NetWare or OES 


AD users | OES 2015 or later 
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The CIFS protocol lets you transfer files and navigate to and from remote OES servers. 
To navigate to remote servers, use the following command: 
cd //remote server name/share/directory pathname 


File operations such as get, put, and delete can be used on the remote server, even without 
changing the directory path to that server. 


For example: 
get //remote_server_name/share/directory path/filename 


The double slash (//) indicates that the user wants to access a remote server. After the double slash, 
the first entry must be the name of the remote server. The remote server name should be full DNS 
server name. 


Configuring Novell FTP 
Configuration file: /etc/pure-ftpd/pure-ftpd.conf 


The configuration parameters for remote server navigation are as follows: 


Entry Value Function 


remote_server yes Enables remote server navigation for the Pure-FTPd server. 


The following configuration parameters needs to be set for remote server navigation: 


Entry Value Reason Why 


ChrootEveryone no Option yes restricts users to login only to his home directory and cannot 
navigate to other directories including remote OES servers. 


AnonymousOnly no Option yes allows only anonymous login. 


NoRename no Option yes restricts users to rename the file. 


Path Formats 


Table 6-3 Linux FTP Server path formats 


Task Command Format 

Specifying the volume and directory path name //server_name/share_name/directory_path 
Navigating to different volumes cd //server_name/share_name 

Switching back to the home directory cd ~ 

Switching to the root of the server /root 

NOTE 


* The Linux FTP Server does not support wildcards at the root of the server. 
* When chroot capability is enabled, AD users are allowed to login with chrooted. 


NSS AD Utilities and Tools 


6.6.7 Limitations 


Co-existence Issue in Default Home Directory for Cluster Volumes: If Default Home Directory is 
used and the physical and cluster pool names is greater than 15 characters, then the NCP and CIFS 
server names will be different. Therefore, FTP login is impacted for both Remote Home Directory and 
Default Home Directory. 


If eDirectory and Active Directory users co-existence is needed, run two instances of FTP server. One 
instance for eDirectory users with NCP (Virtual) server name and another instance for Active 
Directory users with CIFS (netbios) server name. For more information on initializing multiple 
instances, see “Initializing Multiple Instances” on page 84. 
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7.1 


7.2 


Troubleshooting 


This section presents information on troubleshooting the NSS AD installation and configuration. 


+ Section 7.1, “Novell Storage Services AD Configuration is Greyed Out,” on page 89 
+ Section 7.2, "Domain Leave Fails Using the novell-ad-util,” on page 89 


+ Section 7.3, “Verification of the Container Object Fails During the AD Domain Join Process,” on 
page 90 


+ Section 7.4, “Troubleshooting NURM,” on page 90 
+ Section 7.5, “Troubleshooting NIT,” on page 91 


Novell Storage Services AD Configuration is 
Greyed Out 


The Novell Storage Services AD configuration is already done and if you try to reconfigure the same 
in the YaST screen, the Novell Storage Services AD configuration is greyed out. This is because the 
keytab entries are not empty and results in domain leave failure. 


To resolve this issue, ensure that the domain leave is successful. For more information, see “Verifying 
the Domain Leave” on page 41. 


Domain Leave Fails Using the novell-ad-util 


After verifying the steps provided in “Verifying the Domain Leave” on page 41, the domain leave still 
fails. This is because, 


* Domain Controller (DC) or DNS server is not working properly or 


* Netbios name of the OES host or cluster resource is modified after the OES host or cluster 
resource is joined to the AD domain. 


To resolve this issue, perform the following: 


1. Delete the computer objects in the AD domain manually. 
2. Remove the /etc/krb5.keytab file. 
3. In case of cluster resource, remove the /media/nss/VOL1/. NETWARE/vol.keytab file. 


After completing these steps, the OES host and cluster resource are brought back to the state where 
it can be joined to the AD domain. 
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7.3 


7.4 


1.4.1 


7.4.2 


Verification of the Container Object Fails During 
the AD Domain Join Process 


“Error: Verification of container object failed. Ensure that the AD Server is reachable.” 


If you encounter the above error during the AD domain join process, ensure that you have set the 
following: 


* AD server's reverse lookup entry (IPv4 and IPv6) in the DNS server before the domain join 
operation is performed. 


* AD domain name to which the OES server will be joined to as part of the Domain Search in OES 
server network settings. 


Troubleshooting NURM 


+ Section 7.4.1, "Volumes are not Listed in the View Rights and Map Rights Pages,” on page 90 
+ Section 7.4.2, "Active Directory User Names With Special Characters are Ignored,” on page 90 


¢ Section 7.4.3, "View Rights Option Does Not Work in NURM When There are 200K Users,” on 
page 91 


Volumes are not Listed in the View Rights and Map Rights 
Pages 


NURM uses CIFS to fetch the volume information. The volumes do not get listed in the View Rights 
and Map Rights Pages under the following conditions: 


* When a user who is not universal password enabled accesses NURM, the volumes do not get 
listed under the View Rights and Map Rights pages. To resolve this issue, ensure to set the 
Universal Password Policy for the user who is accessing NURM. For more information on 
enabling Universal Password Policy, see CIFS and Universal Password in the OES 2015 SP1: 
Novell CIFS for Linux Administration Guide. 


* When the CIFS user context is not configured for the eDirectory user who is accessing NURM. 
For more information, see Configuring a CIFS User Context in the OES 2015 SP1: Novell CIFS 
for Linux Administration Guide. 


* When the user, who is accessing NURM, does not have adequate rights on / admin/ 
Manage NSS/manage. cmd. 


Active Directory User Names With Special Characters are 
Ignored 


While creating a user in AD, if it contains any special characters (A[]:;|2, * *? «2 (Q)"), it is replaced with 
an underscore ( ) in the SAM account name after a warning; whereas, the user name continues to 
have the special character. For example, if you want to create a user named "tom*adm", the SAM 
account name will be "tom adm", and the user name will be "tom*adm". 


When you use IDM to synchronize the identity sources (eDirectory and Active Directory), IDM creates 
a user in eDirectory with the name "tom*adm". In this scenario, if you use NURM to map and apply 
rights, it ignores the identities with special characters. 
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7.4.3 


7.9 


View Rights Option Does Not Work in NURM When There 
are 200K Users 


"Error: Error in Communication." 


When you try to view the rights of 200,000+ users, NURM displays the error as mentioned above. 
This happens due to Java memory issues. 


To increase the Java memory: 


1. Edit /etc/opt/novell/tomcat6/conf/novell-tomcat6.conf and add the following entry after 
JAVA OPTS-"-Djava.library.path-/opt/novell/eDirectory/lib64:/var/opt/novell/ 
tomcat6/lib:/usr/lib64". 

JAVA_OPTS="$JAVA_OPTS -Xms1024m -Xmx2048m" 
2. Restart the OES instance of tomcat using the rcnovell-tomcat6 restart. 


Troubleshooting NIT 


* "Invalid UID Obtained" on page 91 
* "Unable to fetch tree name, error:11" on page 91 


Invalid UID Obtained 


Description: If the Active Directory user is denied access possibly the user is not assigned a valid 
UID. 


Cause: Run the nitconfig get command and check if ad-uid-generate-mode parameter is set to 
0. Setting this parameter to 0 means NIT operates in Fetch mode for Active Directory users and tries 
to fetch UIDs for those users from Active Directory. If the users do not have UIDs assigned in Active 
Directory you might encounter this error. 


Action: When you choose to fetch UID for Active Directory users, NIT fetches the uidNumber 
attribute set in Active Directory for all the Active Directory users. If UID is not set for a particular user, 
that user cannot access NSS file systems. If you are configuring NIT in fetch mode for Active 
Directory users, ensure that the Active Directory users who require access to NSS filesystems have 
UID numbers set in the Active Directory. Add the uidNumber attribute explicitly to the Global Catalog 
server as it is not part of default attributes. For more information about replicating UID numbers to the 
Global Catalog server, refer to the Microsoft Support website. 


Unable to fetch tree name, error: 11 
Description: eDirectory is down and NIT is not able to fetch tree name. 
Action: 


1 Start eDirectory by running the rcndsd start command. 
2 Start NIT by running the rcnovell-nit start command. 


Troubleshooting 91 


92 Troubleshooting 


A.1 


Reference Information 


+ Section A.1, “NIT Error Codes,” on page 93 


NIT Error Codes 


0 NIT_SUCCESS 

-9001 NITERR_ENTRY_NOTFOUND 

-9002 NITERR ATTRIBUTE NOTFOUND 

-9003  NITERR UIDRANGE EXHAUSTED 

-9004  NITERR IO ERROR 

-9005  NITERR PERMISSION DENIED 

-9006  NITERR NITD UNAVAILABLE 

-9007 = NITERR AD LDAP TIMEOUT 

-9008  NITERR EDIR ONLY MODE 

-9009 NITERR_INSUFFICIENT_BUFFER 

-9010  NITERR INSUFFICIENT MEMORY 

-9011 | NITERR UNKNOWN ERROR 

-9012 NITERR NO USER ACCESS GROUP 
-9013 | NITERR MANY USER ACCESS GROUP 
-9014  NITERR INVALID PARAMETER 

-9015  NITERR INVALID SUPERVISOR GROUP 
-9016  NITERR AD NOT REACHABLE 

-9017  NITERR EDIR NOT REACHABLE 


Success 
Active Directory search returned unexpected results. 


Specified attribute is not found in the Active Directory. 
For example: SID, UID, GUID and so on. 


The UID range has been exhausted. 
Unable to write the NIT configuration file. 


Request comes from a non-root user, permission is 
denied to perform the operation. 


NIT daemon is not running. 


NIT did not receive an answer from the LDAP server 
before the timeout interval. 


NIT runs in eDirectory mode, cannot perform Active 
Directory search operations. 


The caller has not allocated enough memory. 
There is no enough memory to allocate. 
Cause is unknown. 


Active Directory universal access group 
OESAccessGrp is not found. 


More than one Active Directory license universal 
group is found. 


The parameters passed are NULL or invalid. 


Specified Active Directory supervisor group is not 
valid. 


Active Directory server is not reachable. 


eDirectory server is not reachable. 
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